I don't know if the landscape has changed much since 2019, but looking at the paper A taxonomy of pairings, their security, their complexity by Barbulescu et al we want a pairing-friendly curve with 128-bits of security and the smallest possible $q$. The best option seems to be in table 11 using the cubic twist variant of BLS coined `k27method66`

by Zhang and Lin in their paper Analysis of optimum pairing products at high security levels where a 300-bit $q$ is possible (the pairing landing in the field $q^{27}$).

For Barreto-Naehrig curves at the 128-bit security level, Barbuescu et el suggest a base prime $q$ of 462 bits.

ETA: To be explicit about the `k27method66`

curve with 300-bit prime, the recipe (per section 5.4 of the Barbulescu paper) is to choose a 15-bit $u$ and set
$$q=(u-1)^2(u^{18}+u^9+1)/3+u$$
$$r=(u^{18}+u^9+1/)3$$
then if $q$ is prime, with these choice a curve with complex multiplication with discriminant 3 over $\mathbb F_q$ will have group size divisible by $r$ and $r$ will divide $q^{27}-1$ which fits the criteria for a pairing taking values in $\mathbb F_{q^{27}}$.
In the table we see to take $u=2^{15}-2^{10}+2^3+1$ and a little `sage`

:

```
u = 2^15-2^10+2^3+1
q = (u-1)^2*(u^18+u^9+1)//3+u
print(q.is_prime())
print(q)
E = EllipticCurve(GF(q),[0,-2])
r = (u^18+u^9+1)//3
print(r.is_prime())
print(r)
print((q^27-1)%r)
print(E.cardinality()%r)
```

produces

```
True
```

`361865065320728439833719086758866208857114634221052000919029745553653612029141017881951817`

```
True
```

`358925642337106139753780938745883044679182292122981674007816040062299252055237641`

```
0
0
```

Telling us that the curve $y^2=x^3-2$ admits a pairing from $E(\mathbb F_q)\times\mathbf E(\mathbb F_{q^{27}})\to \mathbf F_{q^{27}}^\times$. Picking points $P_1$ and $P_2$ of order $r$ from the two curve groups should give generators for a non-degenerate pairing. A private key $s$ can produce public key $sP_2$ and signatures $sH$ where $H$ is a hash of the message to a point in $\langle P_1\rangle$. Note that using point compression we should be able to represent $sH$ in 299 bits ($q$ is actually only 298 bits long). Signature can be checked by the pairing relationship $e(H,sP_2)=e(sH,P_2)$.