Constructing Tower Extensions of Finite Fields for Implementation of Pairing-Based Cryptography

A cryptographic pairing evaluates as an element of a finite extension field, and the evaluation itself involves a considerable amount of extension field arithmetic. It is recognised that organising the extension field as a “tower” of subfield extensions has many advantages. Here we consider criteria that apply when choosing the best towering construction, and the associated choice of irreducible polynomials for the implementation of pairing-based cryptosystems. We introduce a method for automatically constructing efficient towers for more classes of finite fields than previous methods, some of which allow faster arithmetic. We also show that for some families of pairing-friendly elliptic curves defined over Fp there are a large number of instances for which an efficient tower extension Fpk is given immediately if the parameter defining the prime characteristic of the field satisfies a few easily checked equivalences.