In August 2020 at the virtual CRYPTO conference, during Friday session *Cryptanalysis 2*, there was a live discussion on the security of pairing-friendly curves, and which ones are the best at the 128-bit security level (asked by F. Vercauteren). This page is an answer summary.

This question is also discussed in an IETF draft mentioned by Hoeteck Wee on the IACR chat.

**First online: September 10, 2020,**

**Last updated: November 24, 2020.** Added a reference to the paper *Implementing Cryptographic Pairings at Standard Security Levels* by Enge and Milan, DOI 10.1007/978-3-319-12060-7_3, arxiv 1407.5953, HAL hal-01034213, for implementing pairings with embedding degrees 9 to 27 including prime embedding degrees, and a Miller loop without twists compatible with 2-NAF form.

# Pairing-friendly curves at the 128-bit security level

Broadly speaking, there are two sets of keysizes at the 128-bit security level: non-conservative choices and conservative choices. They depend on the choices when estimating the cost of computing a discrete logarithm in **F**_{pk} with the new variants of the Number Field Sieve (NFS) algorithm.

For efficient non-conservative pairings, choose BLS12-381 (or any other BLS12 curve or Fotiadis-Martindale curve of roughly 384 bits), for conservative but still efficient, choose a BLS12 or a Fotiadis-Martindale curve of 440 to 448 bits.

**the security between BLS12-446 and BLS12-461 is not worth paying an extra machine word, and is close to the error margin of the security estimate**.

Curve | k |
D |
u |
ref | p (bits) |
r (bits) |
p (^{k/d}G_{2}, bits) |
p (bits)^{k} |
---|---|---|---|---|---|---|---|---|

Curve for fastest pairing |
||||||||

Barreto-Lynn-Scott BLS12, cyclotomic r(x) |
12 | 3 | -(2^{73}+2^{72}+2^{50}+2^{24}) |
eprint 2017/334 | 440 | 295 | p^{2}, 880 |
5280 |

Barreto-Lynn-Scott BLS12, cyclotomic r(x) |
12 | 3 | -(2^{12}-2^{48}-2^{71}+2^{74}) |
eprint 2017/334 | 442 | 296 | p^{2}, 884 |
5296 |

Barreto-Lynn-Scott BLS12, cyclotomic r(x) |
12 | 3 | -(2^{74}+2^{73}+2^{63}+2^{57}+2^{50}+2^{17}+1) |
eprint 2019/885 | 446 | 299 | p^{2}, 892 |
5352 |

Fotiadis-Martindale FM17, aurifeuillean r(x) |
12 | 3 | -2^{72}-2^{71}-2^{36} |
eprint 2019/555 | 447 | 296 | p^{2}, 894 |
5356 |

Kachisa-Schaefer-Scott KSS16 | 16 | 1 | -2^{34}+2^{27}-2^{23}+2^{20}-2^{11}+1 |
eprint 2017/334 | 330 | 257 | p^{4}, 1320 |
5280 |

Kachisa-Schaefer-Scott KSS16 | 16 | 1 | 2^{34}-2^{30}+2^{26}+2^{23}+2^{14}-2^{5}+1 |
eprint 2019/1371 | 330 | 256 | p^{4}, 1320 |
5268 |

Kachisa-Schaefer-Scott KSS16 | 16 | 1 | 2^{35}-2^{32}-2^{18}+2^{8}+1 |
eprint 2017/334 | 339 | 263 | p^{4}, 1356 |
5411 |

Curve with small embedding degree k |
||||||||

Cocks-Pinch modified | 6 | 3 | 2^{128}-2^{124}-2^{69}, h=xx, _{t}h=_{y}`0xXX` |
eprint 2019/431 | 672 | 256 | p, 672 |
4028 |

Cocks-Pinch modified | 8 | 1 | 2^{64}-2^{54}+2^{37}+2^{32}-4, h=1, _{t}h=_{y}`0xdc04` |
eprint 2019/431 | 544 | 256 | p^{2}, 1088 |
4349 |

Curve with smallest G_{1} |
||||||||

Freeman-Scott-Teske 6.6 `BW13-P310` , cyclotomic r(x) |
13 | 3 | `0x8b0` |
eprint 2020/760 | 310 | 267 | p^{13}, 4030 |
4027 |

Freeman-Scott-Teske 6.6 `BW19-P286` , cyclotomic r(x) |
19 | 3 | `-0x91` |
eprint 2020/760 | 286 | 259 | p^{19}, 5434 |
5427 |

Barreto-Lynn-Scott BLS24, cyclotomic r(x) |
24 | 3 | -2^{32}+2^{28}-2^{23}+2^{21}+2^{18}+2^{12}-1 |
eprint 2019/885 | 318 | 256 | p^{4}, 1272 |
7621 |

Barreto-Lynn-Scott BLS24, cyclotomic r(x) |
24 | 3 | -2^{32}+2^{28}+2^{12} |
eprint 2019/485 | 318 | 256 | p^{4}, 1272 |
7632 |

Barreto-Lynn-Scott BLS48, cyclotomic r(x) |
48 | 3 | `0xf5ef` |
MIRACL | 286 | 256 | p^{8}, 2288 |
13698 |

Scott-Guillevic KSS54, Aurifeuillean r(x) |
54 | 3 | `-0x2886` |
Mike Scott, personal communication | 283 | 255 | p^{9}, 2547 |
15264 |

Other popular curve |
||||||||

Barreto-Naehrig BN, Aurifeuillean r(x) |
12 | 3 | 2^{110}+2^{36}+1 |
eprint 2010/429 | 446 | 446 | p^{2}, 892 |
5343 |

Some of the parameters can be found in the Python file testvector_sparseseed.py

## More info

### BLS12-381

**Challenges with Assessing the Impact of NFS Advances on the Security of Pairing-based Cryptography** by Menezes, Sarkar and Singh, published at Mycrypt 2016 conference, LNCS 10311, pp. 83–108, (DOI 10.1007/978-3-319-61273-7_5, eprint 2016/1102) is the first paper to analyze thoroughly the consequences of TNFS, STNFS and their variants to target groups of pairing-friendly curves. The conclusion recommends BLS12 or BN curves over 384-bit prime fields instead of BN curves over 256-bit fields. Based on this work, the curve BLS12-381 was chosen by ZCash. This curve is now widely deployed.

### BLS12-461, BN-462

In 2017 (published in 2019), Barbulescu and Duquesne wrote **Updating key size estimations for pairings**, Journal of Cryptology, vol. 32, pp. 1298–1336, DOI 10.1007/s00145-018-9280-5, eprint 2017/334. They advised the following curves:

- a BLS-12 curve over a 461-bit field;
- a BN curve over a 462-bit field;
- a KSS16 curve over a 330-bit field and another over a 339-bit field;
- a KSS18 curve over a 348-bit field.

Their contribution is a refined model of cost compared to the previous work of Menezes, Sarkar and Singh.

### BLS12-446, Fotiadis-Martindale, Cocks-Pinch, Brezing-Weng

I wrote the paper **A short list of pairing-friendly curves at the 128-bit security level** presented at PKC2020 and eprint 2019/1371. A SageMath version (for easy copy-paste) is available on gitlab, this is project tnfs-alpha/alpha Then under `sage`

, the file `example_curves_short_list.sage`

contains this short list.

For each embedding degree from 9 to 17, the best option is selected. The final result is Table 6 page 20 reproduced below.

Curve | k |
D |
u |
ref | p (bits) |
r (bits) |
p (^{k/d}G_{2}, bits) |
p (bits)^{k} |
---|---|---|---|---|---|---|---|---|

Cocks-Pinch modified | 6 | 3 | 2^{128}-2^{124}-2^{69}, h=xx, _{t}h=_{y}`0xXX` |
eprint 2019/431 | 672 | 256 | p, 672 |
4028 |

Cocks-Pinch modified | 8 | 1 | 2^{64}-2^{54}+2^{37}+2^{32}-4, h=1, _{t}h=_{y}`0xdc04` |
eprint 2019/431 | 544 | 256 | p^{2}, 1088 |
4349 |

Brezing-Weng, cyclotomic r(x) (FM15) |
10 | 15 | 2^{32}-2^{26}-2^{17}+2^{10}-1 |
eprint 2019/1371 | 446 | 256 | p^{5}, 2230 |
4458 |

Brezing-Weng, cyclotomic r(x) |
11 | 3 | `-0x1d2a` |
eprint 2019/1371 | 333 | 258 | p^{11}, 3663 |
3663 |

Brezing-Weng, cyclotomic r(x) |
11 | 11 | -2^{26}+2^{21}+2^{19}-2^{11}-2^{9}-1 |
eprint 2019/1371 | 412 | 256 | p^{11}, 4532 |
4528 |

Barreto-Naehrig BN, aurifeuillean r(x) |
12 | 3 | 2^{110}+2^{36}+1 |
eprint 2010/429 | 446 | 446 | p^{2}, 892 |
5343 |

Barreto-Lynn-Scott BLS12, cyclotomic r(x) |
12 | 3 | -(2^{74}+2^{73}+2^{63}+2^{57}+2^{50}+2^{17}+1) |
eprint 2019/885 | 446 | 299 | p^{2}, 892 |
5352 |

Fotiadis-Martindale FM17, aurifeuillean r(x) |
12 | 3 | -2^{72}-2^{71}-2^{36} |
eprint 2019/555 | 447 | 296 | p^{2}, 894 |
5356 |

Freeman-Scott-Teske 6.6 `BW13-P310` , cyclotomic r(x) |
13 | 3 | `0x8b0` |
eprint 2020/760 | 310 | 267 | p^{13}, 4030 |
4027 |

Freeman-Scott-Teske 6.6, cyclotomic r(x) |
14 | 3 | `0x2803c0` |
eprint 2019/1371 | 340 | 256 | p^{7}, 2380 |
4755 |

Kachisa-Schaefer-Scott KSS16 | 16 | 1 | -2^{34}+2^{27}-2^{23}+2^{20}-2^{11}+1 |
eprint 2017/334 | 330 | 257 | p^{4}, 1320 |
5280 |

Kachisa-Schaefer-Scott KSS16 | 16 | 1 | 2^{34}-2^{30}+2^{26}+2^{23}+2^{14}-2^{5}+1 |
eprint 2019/1371 | 330 | 256 | p^{4}, 1320 |
5268 |

### Implementing pairings on curves of embedding degrees 9 to 27 (in particular, prime degrees)

- Enge, A., Milan, J.:
*Implementing cryptographic pairings at standard security levels*. In: Chakraborty, R.S., Matyas, V., Schaumont, P. (eds.) Security, Privacy, and Applied Cryptography Engineering – 4th International Conference, SPACE 2014, Pune, India, October 18-22, 2014. Proceedings. LNCS, vol. 8804, pp. 28-46. Springer (2014). DOI 10.1007/978-3-319-12060-7_3, arxiv 1407.5953, HAL hal-01034213.

This paper implements and compares pairings with embedding degrees between 9 and 27, in particular it presents a Miller loop compatible with 2-NAF form and a prime embedding degree (such as 11, 17, 19). The paper made parameters choices in 2014, before the TNFS algorithm was published, the sizes would need to be increased. It compares the pairing efficiency on curves of embedding degrees 9 to 27, in particular it offers a valuable comparison between prime and composite embedding degrees.

### Cocks-Pinch modified

with Simon Masson and Emmanuel Thomé we investigated variants of Cocks-Pinch in this paper: **Cocks-Pinch curves of embedding degrees five to eight and optimal ate pairing computation**, Designs, Codes and Cryptography, vol. 88 pp. 1047–1081 DOI 10.1007/s10623-020-00727-w, eprint 2019/431.

### Fotiadis-Martindale

There is also a family of curves introduced by Fotiadis and Martindale: eprint 2019/555. These curves have similar properties as BLS12 curves and have the same security. See also *TNFS Resistant Families of Pairing-Friendly Elliptic Curves*, Georgios Fotiadis and Elisavet Konstantinou, Journal of Theoretical Computer Science, vol. 800, pp. 73–89, 2019, DOI 10.1016/j.tcs.2019.10.017, eprint 2018/1017.

### Clarisse-Duquesne-Sanders

Rémi Clarisse et al. investigated smallest possible **G**_{1} in eprint 2020/760. They obtained the curve BW19-P286, a Brezing-Weng curve of embedding degree 19 defined over a 286-bit prime field. This is the record in terms of smallest possible **G**_{1} and is well-suited for 32-bit architecture.

### BLS24-318

On a Github discussion page here, BLS-24 curves are discussed, because they provide very small **G**_{1} (in other words, a very small *p* provides a fast arithmetic in **G**_{1}).

In eprint 2019/885 with Singh we estimated the security of another BLS24-318 curve to be 162 bits in **F**_{pk}. The security on the curve is 128 bits with *r* of 256 bits.

In testvector_sparseseed.py there are other seeds so that *r* has 250 to 257 bits, and *r*-1 and *p*-1 have a high 2-valuation, of 18 to 20.

### BLS48-286, KSS54-283

Mike Scott investigated shortest **G**_{1} with high embedding degree *k*, and degree 6 twist. The curve BLS48-286 is implemented in MIRACL. He also suggested to compare the performances to a KSS54 curve with *p* of 283 bits and *r* of 255 bits obtained with `u=-0x2886`

.

## BLS12-381, BLS12-461, or BLS12-446?

In Barbulescu–Duquesne paper **Updating key size estimations for pairings**, Journal of Cryptology, vol. 32, pp. 1298–1336, DOI 10.1007/s00145-018-9280-5, eprint 2017/334, there is a remark (2 page 18) saying that a BLS12-442 only has 127 bits of security. I guess this is because of this remark that cryptographers are not promoting BLS12 with 7 machine-words (448 bits) but prefer 461 bits as in the IETF draft mentioned by Hoeteck Wee on the IACR chat.

Barbulescu-Duquesne remark is below:

Remark 2.

Zhaohui Cheng communicated to us two choices of BLS12 curses which have 127 bits of security:

- equation
y^{2}=x^{3}+9 and parameteru=-(2^{73}+2^{72}+2^{50}+2^{24});- equation
y^{2}=x^{3}+7 and parameteru=-(2^{12}-2^{48}-2^{71}+2^{74}).The field

pis 5280 bits long instead of the 5530 bits required by the general estimations in Table 7. Hence, our approach of first finding general recommendations for each family (assuming the attacker can apply all improvements), then checking specific values of^{k}u, only loses 5% in length.

For efficient modular arithmetic, finite fields elements (integers modulo *p*, also denoted **Z**/*p***Z**) are represented in Montgomery form, and all the bits of the machine-words are filled. It means elements of **F**_{p} where *p* is 385 to 448-bit long are stored in the full 448 bits. And elements of **F**_{p} where *p* is 449 to 512-bit long are stored in 512 bits. From 7 machine words (BLS12-446) to 8 machine words (BLS12-461), the length in Montgomery form is increased by 14% (8/7*100), not 5%. Because the timings of modular multiplications are quadratic in the machine-word size of the modular integers, the slowdown in time could be up to 30%. 2019/431 reports a slowdown of 25% for modular multiplication from 7 machine-words to 8 machine-words when benchmarking RELIC.

With the improved estimation implemented with Shashank Singh, we obtained that such BLS12 curves of 440 to 448 bits have roughly a security of 132 bits, these are page 34 and 35 in 2019/885. The security of BLS12-461 is estimated to be between 134 and 135 bits.

In short, **the security between BLS12-446 and BLS12-461 is not worth paying an extra machine word, and is close to the error margin of the security estimate**.

## About eprint 2019/485

The preprint 2019/485 by Barbulescu, El Mrabet and Ghammam was posted on eprint on May 13, 2019. It lists curves mostly from Freeman, Scott and Teske paper **A taxonomy of pairing-friendly elliptic curves**, Journal of Cryptology vol. 23, pp. 224–280, 2010, DOI 10.1007/s00145-009-9048-z, eprint 2006/372. I contacted the authors of eprint 2019/485 on August 20, 2019 because our respective results did not match on many curves. The preprint was updated on September 13, 2020. Comments are on a separate page.

In July 3-6, 2020 at ITC-CSCC 2020, Nagoya (Online Conference), these curves were implemented and compared. It turned out that they are slower (than BLS12 for example), because fewer optimisations are available (in particular, a quadratic twist only for *k*=10 and *k*=14, a cubic twist for *k*=15, instead of a sextic twist for BN, BLS12, Fotiadis-Martindale *k*=12 curves results in a slower pairing).

Curve | k |
D |
u |
ref | p (bits) |
r (bits) |
p (bits)^{k} |
---|---|---|---|---|---|---|---|

Brezing-Weng, cyclotomic r(x) |
10 | 2 | 2^{36}+2^{30}+2^{12}+2^{6}+1 |
1 | 503 | 289 | 5024 |

Brezing-Weng, cyclotomic r(x) |
14 | 2 | 2^{21}+2^{13}+2^{11}+2^{10}+2^{9}+1 |
2 | 377 | 253 | 5267 |

BLS15 Barreto-Lynn-Scott, cyclotomic r(x) |
15 | 3 | -2^{32}-2^{22}+2^{17}+2^{6}, -2^{32}-2^{20}-2^{14}-2^{3} |
3, 4 | 383 | 257 | 5737 |

- a
*k*=10,*D*=1 Brezing-Weng curve in R. Matsumura, Y. Takahashi, Y. Nanjo, T. Kusaka and Y. Nogami,*Implementation and Evaluation of Ate Pairings on Elliptic Curves with Embedding Degree 10 Applied Type-II All-One Polynomial Extension Field of Degree 5*, ITC-CSCC, Nagoya, Japan, July 3-6, 2020, pp. 336–341, online paper 1. The parameters are*p*(*x*) = (*x*^{14}– 2*x*^{12}+*x*^{10}+*x*^{4}+ 2*x*^{2}+ 1)/4,*r*(*x*) =*x*^{8}–*x*^{6}+*x*^{4}–*x*^{2}+ 1,*t*(*x*) =*x*^{2}+ 1,*c*(*x*) = (*x*^{4}– 1)(*x*^{2}– 1)/4,*y*(*x*) = (*x*-1)(*x*+1)*x*^{5}, and seed*u*=2^{36}+ 2^{30}+ 2^{12}+ 2^{6}+ 1 gives a 503-bit prime*p*and a 289-bit prime*r*. - a
*k*=14,*D*=1 Brezing-Weng curve in*An Implementation and Evaluation of a Pairing on Elliptic Curves with Embedding Degree 14*, Song, Matsumura, Takahashi, Nanjo, Kusaka, Nogami, Matsumoto, ITC-CSCC 2020, Nagoya, Japan, July 3-6, 2020, pp. 293–298, online paper 2. The parameters are*p*(*x*)=(*x*^{18}– 2*x*^{16}+*x*^{14}+*x*^{4}+ 2*x*^{2}+ 1)/4,*r*(*x*)=*x*^{12}–*x*^{10}+*x*^{8}–*x*^{6}+*x*^{4}–*x*^{2}+ 1,*t*(*x*)=*x*^{2}+ 1, curve cofactor is*c*(*x*)=(*x*^{4}– 1)(*x*^{2}– 1)/4,*y*(*x*)=(*x*– 1)(*x*+ 1)*x*^{7}, and seed*u*=2^{21}+ 2^{13}+ 2^{11}+ 2^{10}+ 2^{9}+ 1 gives a 377-bit prime*p*and a 253-bit prime*r*. - a
*k*=15,*D*=3 BLS curve in Y. Nanjo, M. Shirase, T. Kusaka and Y. Nogami,*An Explicit Formula of Cyclotomic Cubing Available for Pairings on Elliptic Curves with Embedding Degrees of Multiple of Three*, ITC-CSCC, Nagoya, Japan, July 3-6, 2020, pp. 288–292, online paper 3. Y. Nanjo, M. Shirase, T. Kusaka and Y. Nogami,*A Technique for Fast Miller’s Algorithm of Ate Pairings on Elliptic Curves with Embedding Degrees of Multiple of Three*, ITC-CSCC, Nagoya, Japan, July 3-6, 2020, pp. 283–287, online paper 4. The parameters are*p*(*x*) = (*x*– 1)^{2}/3(*x*^{2}+*x*+ 1)*r*(*x*) +*x*,*r*(*x*) =*x*^{8}–*x*^{7}+*x*^{5}–*x*^{4}+*x*^{3}–*x*+ 1,*t*(*x*) =*x*+ 1,*c*(*x*) = (*x*– 1)(*x*^{3}– 1)/3,*y*(*x*) = (*x*– 1)(2*x*^{5}+ 1)/3, and seeds*u*= – 2^{32}– 2^{22}+ 2^{17}+ 2^{6}and*u*= – 2^{32}– 2^{20}– 2^{14}– 2^{3}give 383-bit prime*p*and 257-bit prime*r*.

# Pairing-friendly curves for zk-SNARKs

In the zero-knowledge community, there are other needs (cycles of MNT curves, chains of curves, parameters *p*-1 and *r*-1 with a high 2-valuation…) A cycle of curves (available only with MNT curves for now) is a pair of pairing-friendly elliptic curves *E*_{1}, *E*_{2} such that *E*_{1} is defined over a finite prime field **F**_{p} and has prime order *r*, and *E*_{2} is defined over the finite field **F**_{r} (where *r* is *E*_{1} order) and has order *p*.

## BLS12 and BLS24 curves

Curve | k |
D |
u |
ref | p (bits) |
r (bits) |
p (^{k/d}G_{2}, bits) |
p (bits)^{k} |
---|---|---|---|---|---|---|---|---|

Popular BLS12-381 curve |
||||||||

Barreto-Lynn-Scott BLS12, cyclotomic r(x) |
12 | 3 | `-0xd201000000010000` =-2^{63}-2^{62}-2^{60}-2^{57}-2^{48}-2^{16} |
ZCash | 381 | 255 | p^{2}, 762 |
4569 |

Curves with 2^{n}|p-1, 2^{m}|r-1 |
||||||||

Barreto-Lynn-Scott BLS12, cyclotomic r(x) |
12 | 3 | `0x8508c00000000001` =2^{63}+2^{58}+2^{56}+2^{51}+2^{47}+2^{46}+1 |
Zexe, eprint 2018/962, Table 16 | 377 | 253 | p^{2}, 754 |
4521 |

Barreto-Lynn-Scott BLS12, cyclotomic r(x) |
12 | 3 | `0x9b04000000000001` =2^{63}+2^{61}-2^{58}-2^{56}+2^{50}+1 |
testvector_sparseseed.py | 379 | 254 | p^{2}, 758 |
4537 |

Barreto-Lynn-Scott BLS12, cyclotomic r(x) |
12 | 3 | `0x105a8000000000001` =2^{64}+2^{59}-2^{57}-2^{55}+2^{53}+2^{51}+1 |
testvector_sparseseed.py | 383 | 257 | p^{2}, 766 |
4592 |

Barreto-Lynn-Scott BLS24, cyclotomic r(x) |
24 | 3 | `-0xbfcfffff` =-2^{32}+2^{30}+2^{22}-2^{20}+1 |
testvector_sparseseed.py | 315 | 253 | p^{4}, 1260 |
7543 |

## MNT curves

Two cycles of elliptic curves are widely deployed: 298-bit parameters and 753-bit parameters (see DOI 10.1007/978-3-662-44381-1_16, eprint 2014/595). I generated other parameters (with the algorithms from Karabina–Teske, eprint 2007/425, DOI 10.1007/978-3-540-79456-1_6) to have an idea of the security for larger parameters, there are at `tnfs/param/TestVectorMNT_k_cycle_D_1e9.py`

. But the curves are not optimized for zk-SNARKs, the valuation at 2 of *p*-1 and *r*-1 is low.

Curve | k |
D |
ref | p (bits) |
r (bits) |
p (bits)^{k} |
estimated security |
---|---|---|---|---|---|---|---|

MNT4-298 | 4 | 614144978799019 | eprint 2014/595 | 298 | 298 | 1192 | 2^{77} |

MNT6-298 | 6 | 614144978799019 | eprint 2014/595 | 298 | 298 | 1788 | 2^{87} |

MNT4-753 | 4 | 241873351932854907 | eprint 2014/595, CODA | 753 | 753 | 3012 | 2^{113} |

MNT6-753 | 6 | 241873351932854907 | eprint 2014/595, CODA | 753 | 753 | 4517 | 2^{137} |

MNT4-992 | 4 | 95718723 | gitlab file | 992 | 992 | 3966 | 2^{126} |

MNT6-992 | 6 | 95718723 | gitlab file | 992 | 992 | 5948 | 2^{156} |

The seeds are the following.

Curve | seed |
---|---|

MNT4-298 | u = `0x1eef5546609756bec2a33f0dc9a1b671660000` |

MNT6-298 | u = `-0xf77aaa3304bab5f61519f86e4d0db38b30000` |

MNT4-753 | u = `-0x15474b1d641a3fd86dcbcee5dcda7fe51852c8cbe26e600733b714aa43c31a66b0344c4e2c428b07a7713041ba18000` |

MNT6-753 | u = `0xaa3a58eb20d1fec36e5e772ee6d3ff28c296465f137300399db8a5521e18d33581a262716214583d3b89820dd0c000` |

MNT4-992 | u = `0xc85f1924b404f160077c049739e871907e407900a6d59abd8e25f63eaec03b9f974bfa92dd5cc38cb09ffdcdd3d19ab23bad8e228130bedd0e0859c32774` |

MNT6-992 | u = `-0x642f8c925a0278b003be024b9cf438c83f203c80536acd5ec712fb1f57601dcfcba5fd496eae61c6584ffee6e9e8cd591dd6c71140985f6e87042ce193ba` |

For a 128-bit security level, an example of cycle for comparison (in terms of length) is the following. Roughly 1024-bit parameters provide a 128-bit security level. For the curve MNT4-992 the estimated cost of NFS-Conjugation is 2^{126} in **F**_{p4} and for MNT6-992 the estimated cost of STNFS is 2^{156} in **F**_{p6}.

```
# MNT4_992
k = 4
u = 0xc85f1924b404f160077c049739e871907e407900a6d59abd8e25f63eaec03b9f974bfa92dd5cc38cb09ffdcdd3d19ab23bad8e228130bedd0e0859c32774
D = 95718723
c = 1
a = -3
b = 0x1c517e4f1632c3879c949ad49791cd8d9a6fc4bba403a3e69053e909ecbd42dbafb80100e0e46c53e85a07d869637e75ca6c3371de1bb090517613b30782f01489562fe913cd858d6671ab2a9d7ceb5c3ce8ea426c577ebb16b3c87a501e4bef0df989d7ec1037f32e852df87dce54696805764e1a072268d650a1ea
pnbits = 992
rnbits = 992
p = u**2 + u + 1
r = u**2 + 1
t = u + 1
y = 0x914c26752f9ff10b6a9060342744c1971bd11ee0a5a9f3dbff85fd462a6807cdbe69fef2c1fc2731306a180a5490999b3e810db101c100f78eee893a3
assert t**2-4*p == -D*y**2
assert p+1-t == r*c
(p-1) % (2**2 * 3 * 5**5 * 13) == 0
(r-1) % (2**4 * 3**2 * 5**10) == 0
Fp = GF(p)
E4 = EllipticCurve([Fp(a),Fp(b)])
# MNT6_992
k = 6
u = -0x642f8c925a0278b003be024b9cf438c83f203c80536acd5ec712fb1f57601dcfcba5fd496eae61c6584ffee6e9e8cd591dd6c71140985f6e87042ce193ba
D = 95718723
c = 1
a = -3
b = 0xa0c214d66abeed117834b3812f966d30b7ce0cef1dc8aec978c8da94cbcf67a2d99c2c1428f9ffb86b280c13144154fb1be8a9e1f4fd886271c3816e25f623c01e344d24440dd2873f6b207862dab186fde6c075b5a0dccdcd86c7656865d75ca94f63a091cf6fc5d538342b81b871bda4b63fac1a9ed8b36ccd906
pnbits = 992
rnbits = 992
p = 4*u**2 + 1
r = 4*u**2 - 2*u + 1
t = 2*u + 1
y = 0x914c26752f9ff10b6a9060342744c1971bd11ee0a5a9f3dbff85fd462a6807cdbe69fef2c1fc2731306a180a5490999b3e810db101c100f78eee893a3
assert t**2-4*p == -D*y**2
assert p+1-t == r*c
(p-1) % (2^4 * 3^2 * 5^10) == 0
(r-1) % (2^2 * 3 * 5^5 * 13) == 0
Fp = GF(p)
E6 = EllipticCurve([Fp(a),Fp(b)])
```