Recent progress in number field sieve (NFS) has shaken the security of Pairing-based Cryptography. For the discrete logarithm problem (DLP) in finite field, we present the first systematic review of the NFS algorithms from three perspectives: the degree $\alpha$, constant $c$, and hidden constant $o(1)$ in the asymptotic complexity $L_Q\left(\alpha,c\right)$ and indicate that further research is required to optimize the hidden constant. Using the special extended tower NFS algorithm, we conduct a thorough security evaluation for all the existing standardized PF curves as well as several commonly utilized curves, which reveals that the BN256 curves recommended by the SM9 and the previous ISO/IEC standard exhibit only 99.92 bits of security, significantly lower than the intended 128-bit level. In addition, we comprehensively analyze the security and efficiency of BN, BLS, and KSS curves for different security levels. Our analysis suggests that the BN curve exhibits superior efficiency for security strength below approximately 105 bit. For a 128-bit security level, BLS12 and BLS24 curves are the optimal choices, while the BLS24 curve offers the best efficiency for security levels of 160bit, 192bit, and 256bit.

翻译：数域筛法（NFS）的最新进展已动摇基于配对密码学的安全性。针对有限域中的离散对数问题（DLP），我们从三个维度首次系统回顾了NFS算法：渐进复杂度 $L_Q\left(\alpha,c\right)$ 中的度数 $\alpha$、常数 $c$ 及隐藏常数 $o(1)$，并指出需进一步研究以优化该隐藏常数。基于特殊扩展塔NFS算法，我们对所有现有标准化配对友好（PF）曲线及若干常用曲线进行了彻底的安全性评估，结果显示SM9及前ISO/IEC标准推荐的BN256曲线仅具有99.92比特的安全强度，显著低于预期的128比特安全级。此外，我们全面分析了BN、BLS及KSS曲线在不同安全等级下的安全性与效率。分析表明：BN曲线在约105比特以下的安全强度下具有最优效率；对于128比特安全级，BLS12与BLS24曲线为最优选择，而BLS24曲线在160比特、192比特及256比特安全级下提供最佳效率。