Elliptic curves with pairings at 128-bit security in libpbc?

Question

I am using Ben Lynn's libpbc to implement a BLS threshold signature scheme and I am aiming for 128-bit security (i.e., a forgery attack should take around $2^{128}$ tries).

I was wondering what curves in libpbc would provide this level of security?

There are some indications about discrete log security here but I'm not sure how to interpret them. (I don't know too much about elliptic curve cryptography.)

For example, a "type A" curve with a "base field size" of 512 bits and embedding degree 2 is said to have 1024-bit discrete log security in the link above. Does that mean a successful attack on that curve takes around $2^{1024}$ operations? Or does it mean an attack on that curve is equivalent to an attack on a group $G(q) \subset \mathbb{Z}_p^*$ where $|q| = 1024$ bits?

Any tips would be appreciated!

Later edit: A more precise estimate of the security parameter of libpbc's curves would be nice!

Answer 1

The security of pairing-based cryptography relies on the security of the elliptic curve (which is linked to the size of underlying finite field, or "base field") and of the finite extension field being used.

The "Dlog security" column in the linked page is the size of the finite extension field. Its security used to be comparable to the corresponding RSA security; 1024 bits would provide only 80 bits of security. However, The "Dlog security" of the extension fields used in pairings has changed with some recent research, which makes things even more complicated. See Updating key size estimations for pairings, which estimates, for example, that a BN curve with a base field of 451 bits and "Dlog security" of 5532 bits would provide 128 bits of security)

The "Base field size" is related to the elliptic curve security; in this case security is usually half of the field size (to be precise: half the size of the prime-order subgroup). The "type A" curve there would provide 256 bits of security; but since the corresponding Dlog security is only 80 bits, the overall security is only 80.

Considering that, none of the listed benchmarked curves in the page you linked to provide 128-bit security. However, libpbc does support generating curves with arbitrary sizes for some pairing types, so it is possible to generate a pairing with 128-bit security.