April 2010, Volume 23, Issue 2, pp 224280,
Open Access
This content is freely available online to anyone, anywhere at any time.
Date:
18 Jun 2009
A Taxonomy of PairingFriendly Elliptic Curves
 David Freeman,
 Michael Scott,
 Edlyn Teske
 … show all 3 hide
Abstract
Elliptic curves with small embedding degree and large primeorder subgroup are key ingredients for implementing pairingbased cryptographic systems. Such “pairingfriendly” curves are rare and thus require specific constructions. In this paper we give a single coherent framework that encompasses all of the constructions of pairingfriendly elliptic curves currently existing in the literature. We also include new constructions of pairingfriendly curves that improve on the previously known constructions for certain embedding degrees. Finally, for all embedding degrees up to 50, we provide recommendations as to which pairingfriendly curves to choose to best satisfy a variety of performance and security requirements.
Communicated by Dan Boneh
References
[1]
A.O.L. Atkin, F. Morain, Elliptic curves and primality proving. Math. Comput.
61, 29–68 (1993)
MATHCrossRefMathSciNet
[2]
D. Bailey, C. Paar, Efficient arithmetic in finite field extensions with application in elliptic curve cryptography. J. Cryptol.
14, 153–176 (2001)
MATHMathSciNet
[3]
R. Balasubramanian, N. Koblitz, The improbability that an elliptic curve has subexponential discrete log problem under the Menezes–Okamoto–Vanstone algorithm. J. Cryptol.
11, 141–145 (1998)
MATHCrossRefMathSciNet
[4]
P.S.L.M. Barreto, M. Naehrig, Pairingfriendly elliptic curves of prime order, in Selected Areas in Cryptography—SAC 2005. Lecture Notes in Computer Science, vol. 3897 (Springer, Berlin, 2006), pp. 319–331
CrossRef
[5]
P.S.L.M. Barreto, B. Lynn, M. Scott, Constructing elliptic curves with prescribed embedding degrees, in Security in Communication Networks—SCN 2002. Lecture Notes in Computer Science, vol. 2576 (Springer, Berlin, 2002), pp. 263–273
[6]
P.S.L.M. Barreto, H.Y. Kim, B. Lynn, M. Scott, Efficient algorithms for pairingbased cryptosystems, in Advances in Cryptology—Crypto 2002. Lecture Notes in Computer Science, vol. 2442 (Springer, Berlin, 2002), pp. 354–368
CrossRef
[7]
P.S.L.M. Barreto, B. Lynn, M. Scott, On the selection of pairingfriendly groups, in Selected Areas in Cryptography—SAC 2003. Lecture Notes in Computer Science, vol. 3006 (Springer, Berlin, 2003), pp. 17–25
[8]
P.S.L.M. Barreto, S. Galbraith, C. O’hEigeartaigh, M. Scott, Efficient pairing computation on supersingular abelian varieties. Des. Codes Cryptogr.
42, 239–271 (2007)
MATHCrossRefMathSciNet
[9]
P. Bateman, R. Horn, A heuristic asymptotic formula concerning the distribution of prime numbers. Math. Comput.
16, 363–367 (1962)
MATHCrossRefMathSciNet
[10]
N. Benger, M. Charlemagne, D. Freeman, On the security of pairingfriendly abelian varieties over nonprime fields, in PairingBased Cryptography—Pairing 2009, to appear. Preprint available at: http://eprint.iacr.org/2008/417/
[11]
I.F. Blake, G. Seroussi, N.P. Smart (eds.), Advances in Elliptic Curve Cryptography (Cambridge University Press, Cambridge, 2005)
MATH
[12]
D. Boneh, M. Franklin, Identitybased encryption from the Weil pairing, in Advances in Cryptology—Crypto 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 213–229. Full version: SIAM J. Comput.
32(3), 586–615 (2003)
CrossRef
[13]
D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing, in Advances in Cryptology—Asiacrypt 2001. Lecture Notes in Computer Science, vol. 2248 (Springer, Berlin, 2002), pp. 514–532. Full version: J. Cryptol.
17, 297–319 (2004)
CrossRef
[14]
D. Boneh, E.J. Goh, K. Nissim, Evaluating 2DNF formulas on ciphertexts, in Theory of Cryptography Conference—TCC 2005. Lecture Notes in Computer Science, vol. 3378 (Springer, Berlin, 2005), pp. 325–341
[15]
W. Bosma, J. Cannon, C. Playoust, The Magma algebra system. I. The user language. J. Symb. Comput.
24(3–4), 235–265 (1997)
MATHCrossRefMathSciNet
[16]
A. Bostan, F. Morain, B. Salvy, É. Schost, Fast algorithms for computing isogenies between elliptic curves. Math. Comput.
77, 1755–1778 (2008)
CrossRefMathSciNet
[17]
F. Brezing, A. Weng, Elliptic curves suitable for pairing based cryptography. Des. Codes Cryptogr.
37, 133–141 (2005)
MATHCrossRefMathSciNet
[18]
R. Bröker, Constructing elliptic curves of prescribed order. Ph.D. thesis, Dept. of Mathematics, Leiden University, 2006. Available at: http://www.math.leidenuniv.nl/~reinier/thesis.pdf
[19]
J.C. Cha, J.H. Cheon, An identitybased signature from gap Diffie–Hellman groups, in PublicKey Cryptography—PKC 2003. Lecture Notes in Computer Science, vol. 2567 (Springer, Berlin, 2003), pp. 18–30
[20]
D. Charles, On the existence of distortion maps on ordinary elliptic curves, Cryptology ePrint Archive Report 2006/128. Available at: http://eprint.iacr.org/2006/128/
[21]
L. Chen, Z. Cheng, N. Smart, Identitybased key agreement protocols from pairings. Int. J. Inf. Secur.
6, 213–241 (2007)
CrossRef
[22]
C. Cocks, R.G.E. Pinch, Identitybased cryptosystems based on the Weil pairing. Unpublished manuscript, 2001
[23]
A. Comuta, M. Kawazoe, T. Takahashi, Pairingfriendly elliptic curves with small security loss by Cheon’s algorithm, in Information Security and Cryptography—ICISC 2007. Lecture Notes in Computer Science, vol. 4817 (Springer, Berlin, 2007), pp. 297–308
CrossRef
[24]
D. Coppersmith, Fast evaluation of logarithms in fields of characteristic two. IEEE Trans. Inf. Theory
30, 587–594 (1984)
MATHCrossRefMathSciNet
[25]
G. Cornell, J. Silverman (eds.), Arithmetic Geometry (Springer, New York, 1986)
MATH
[26]
P. Duan, S. Cui, C.W. Chan, Effective polynomial families for generating more pairingfriendly elliptic curves, Cryptology ePrint Archive Report 2005/236. Available at: http://eprint.iacr.org/2005/236/
[27]
R. Dupont, A. Enge, F. Morain, Building curves with arbitrary small MOV degree over finite prime fields. J. Cryptol.
18, 79–89 (2005)
MATHCrossRefMathSciNet
[28]
I. Duursma, P. Gaudry, F. Morain, Speeding up the discrete log computation on curves with automorphisms, in Advances in Cryptology—Asiacrypt 1999. Lecture Notes in Computer Science, vol. 1716 (Springer, Berlin, 1999), pp. 103–121
[29]
A. Enge, The complexity of class polynomial computation via floating point approximations. Math. Comput.
78, 1089–1107 (2009)
MathSciNet
[30]
D. Freeman, Constructing pairingfriendly elliptic curves with embedding degree 10, in Algorithmic Number Theory Symposium—ANTSVII. Lecture Notes in Computer Science, vol. 4076 (Springer, Berlin, 2006), pp. 452–465
CrossRef
[31]
D. Freeman, Constructing pairingfriendly genus 2 curves with ordinary Jacobians, in PairingBased Cryptography—Pairing 2007. Lecture Notes in Computer Science, vol. 4575 (Springer, Berlin, 2007), pp. 152–176
CrossRef
[32]
D. Freeman, A generalized Brezing–Weng method for constructing pairingfriendly ordinary abelian varieties, in PairingBased Cryptography—Pairing 2008. Lecture Notes in Computer Science, vol. 5209 (Springer, Berlin, 2008), pp. 146–163
CrossRef
[33]
D. Freeman, P. Stevenhagen, M. Streng, Abelian varieties with prescribed embedding degree, in Algorithmic Number Theory Symposium—ANTSVIII. Lecture Notes in Computer Science, vol. 5011 (Springer, Berlin, 2008), pp. 60–73
CrossRef
[34]
[35]
S. Galbraith, V. Rotger, Easy decision Diffie–Hellman groups. LMS J. Comput. Math.
7, 201–218 (2004)
MATHMathSciNet
[36]
S. Galbraith, J. McKee, P. Valença, Ordinary abelian varieties having small embedding degree. Finite Fields Appl.
13, 800–814 (2007)
MATHCrossRefMathSciNet
[37]
S. Galbraith, K. Paterson, N. Smart, Pairings for cryptographers. Discrete Appl. Math.
15, 3113–3121 (2008)
CrossRefMathSciNet
[38]
R. Gallant, R.J. Lambert, S.A. Vanstone, Faster point multiplication on elliptic curves with efficient endomorphisms, in Advances in Cryptology—Crypto 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 190–200
CrossRef
[39]
R. Granger, D. Page, N. Smart, High security pairingbased cryptography revisited, in Algorithmic Number Theory Symposium ANTSVII. Lecture Notes in Computer Science, vol. 4076 (Springer, Berlin, 2006), pp. 480–494
CrossRef
[40]
K. Harrison, D. Page, N.P. Smart, Software implementation of finite fields of characteristic three, for use in pairingbased cryptosystems. LMS J. Comput. Math.
5, 181–193 (2002)
MATHMathSciNet
[41]
F. Hess, Pairing lattices, in PairingBased Cryptography—Pairing 2008. Lecture Notes in Computer Science, vol. 5209 (Springer, Berlin, 2008), pp. 18–38
CrossRef
[42]
F. Hess, N. Smart, F. Vercauteren, The Eta pairing revisited. IEEE Trans. Inf. Theory
52, 4595–4602 (2006)
CrossRefMathSciNet
[43]
L. Hitt, On the minimal embedding field, in PairingBased Cryptography—Pairing 2007. Lecture Notes in Computer Science, vol. 4575 (Springer, Berlin, 2007), pp. 294–301
CrossRef
[44]
A. Joux, A one round protocol for tripartite Diffie–Hellman, in Algorithmic Number Theory Symposium—ANTSIV. Lecture Notes in Computer Science, vol. 1838 (Springer, Berlin, 2000), pp. 385–393. Full version: J. Cryptol.
17, 263–276 (2004)
CrossRef
[45]
A. Joux, K. Nguyen, Separating decision Diffie–Hellman from computational Diffie–Hellman in cryptographic groups. J. Cryptol.
16, 239–247 (2003)
MATHCrossRefMathSciNet
[46]
E. Kachisa, Constructing Brezing–Weng pairing friendly elliptic curves using elements in the cyclotomic field. M.Sc. dissertation, Mzuzu University, 2007
[47]
E. Kachisa, E. Schaefer, M. Scott, Constructing Brezing–Weng pairing friendly elliptic curves using elements in the cyclotomic field, in PairingBased Cryptography—Pairing 2008. Lecture Notes in Computer Science, vol. 5209 (Springer, Berlin, 2008), pp. 126–135
CrossRef
[48]
K. Karabina, On primeorder elliptic curves with embedding degrees 3, 4 and 6. M.Math. thesis, Univ. of Waterloo, Dept. of Combinatorics and Optimization, 2006
[49]
K. Karabina, E. Teske, On primeorder elliptic curves with embedding degrees 3, 4 and 6, in Algorithmic Number Theory Symposium—ANTSVIII. Lecture Notes in Computer Science, vol. 5011 (Springer, Berlin, 2008), pp. 102–117
CrossRef
[50]
N. Koblitz, Good and bad uses of elliptic curves in cryptography. Mosc. Math. J.
2, 693–715 (2002) 805–806
MATHMathSciNet
[51]
N. Koblitz, A. Menezes, Pairingbased cryptography at high security levels, in Proceedings of Cryptography and Coding: 10th IMA International Conference. Lecture Notes in Computer Science, vol. 3796 (Springer, Berlin, 2005), pp. 13–36
[52]
S. Lang, Elliptic Functions (Springer, Berlin, 1987)
MATH
[53]
S. Lang, Algebra, revised 3rd edn. (Springer, Berlin, 2002)
MATH
[54]
A.K. Lenstra, Unbelievable security: Matching AES security using public key systems, in Advances in Cryptology—Asiacrypt 2001. Lecture Notes in Computer Science, vol. 2248 (Springer, Berlin, 2001), pp. 67–86
CrossRef
[55]
R. Lidl, H. Niederreiter, Finite Fields (Cambridge University Press, Cambridge, 1997)
[56]
F. Luca, I. Shparlinski, Elliptic curves with low embedding degree. J. Cryptol.
19, 553–562 (2006)
MATHCrossRefMathSciNet
[57]
F. Luca, D. Mireles, I. Shparlinski, MOV attack in various subgroups on elliptic curves. Ill. J. Math.
48, 1041–1052 (2004)
MATHMathSciNet
[58]
K. Matthews, The Diophantine equation x
^{2}−Dy
^{2}=N, D>0. Expo. Math.
18, 323–331 (2000)
MATHMathSciNet
[59]
A. Menezes, Elliptic Curve Public Key Cryptosystems (Kluwer Academic, Dordrecht, 1993)
MATH
[60]
A. Menezes, An introduction to pairingbased cryptography. Notes from lectures given in Santander, Spain, 2005. Available at: http://www.cacr.math.uwaterloo.ca/~ajmeneze/publications/pairings.pdf
[61]
A. Menezes, S. Vanstone, Isomorphism classes of elliptic curves over finite fields of characteristic 2. Util. Math.
38, 135–153 (1990)
MATHMathSciNet
[62]
A. Menezes, T. Okamoto, S. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory
39, 1639–1646 (1993)
MATHCrossRefMathSciNet
[63]
[64]
A. Miyaji, M. Nakabayashi, S. Takano, New explicit conditions of elliptic curve traces for FRreduction. IEICE Trans. Fundam.
E84A(5), 1234–1243 (2001)
[65]
F. Morain, Classes d’isomorphismes des courbes elliptiques supersingulières en caracteristique ≥3. Util. Math.
52, 241–253 (1997)
MATHMathSciNet
[66]
A. Murphy, N. Fitzpatrick, Elliptic curves for pairing applications, Cryptology ePrint Archive Report 2005/302. Available at: http://eprint.iacr.org/2005/302
[67]
M. Naehrig, P.S.L.M. Barreto, P. Schwabe, On compressible pairings and their computation, in Progress in Cryptology—Africacrypt 2008. Lecture Notes in Computer Science, vol. 5023 (Springer, Berlin, 2008), pp. 371–388
CrossRef
[68]
A. Odlyzko, Discrete logarithms in finite fields and their cryptographic significance, in Advances in Cryptology—Eurocrypt 1984. Lecture Notes in Computer Science, vol. 209 (Springer, Berlin, 1985), pp. 224–314
[69]
D. Page, N. Smart, F. Vercauteren, A comparison of MNT curves and supersingular curves. Appl. Algebra Eng., Commun. Comput.
17, 379–392 (2006)
MATHCrossRefMathSciNet
[70]
K. Paterson, IDbased signatures from pairings on elliptic curves. Electron. Lett.
38, 1025–1026 (2002)
CrossRef
[71]
S. Pohlig, M. Hellman, An improved algorithm for computing discrete logarithms over GF(p) and its cryptographic significance. IEEE Trans. Inf. Theory
24, 106–110 (1978)
MATHCrossRefMathSciNet
[72]
J. Pollard, Monte Carlo methods for index computation (mod p). Math. Comput.
32, 918–924 (1978)
MATHCrossRefMathSciNet
[73]
J. Robertson, Solving the generalized Pell equation x
^{2}−Dy
^{2}=N. Unpublished manuscript, 2004. Available at: http://hometown.aol.com/jpr2718/pell.pdf
[74]
K. Rubin, A. Silverberg, Finding composite order ordinary elliptic curves using the Cocks–Pinch method, in preparation
[75]
R. Sakai, K. Ohgishi, M. Kasahara, Cryptosystems based on pairings, in 2000 Symposium on Cryptography and Information Security—SCIS 2000, Okinawa, Japan, 2000
[76]
E. Schaefer, A new proof for the nondegeneracy of the Frey–Rück pairing and a connection to isogenies over the base field, in Computational Aspects of Algebraic Curves. Lecture Notes Ser. Comput., vol. 13 (World Scientific, Singapore, 2005), pp. 1–12
CrossRef
[77]
O. Schirokauer, The number field sieve for integers of low weight. Math. Comput. to appear. Preprint available at: http://eprint.iacr.org/2006/107/
[78]
M. Scott, Computing the Tate pairing, in Topics in Cryptology—CTRSA 2005. Lecture Notes in Computer Science, vol. 3376 (Springer, Berlin, 2005), pp. 293–304
[79]
M. Scott, Implementing cryptographic pairings, in PairingBased Cryptography—Pairing 2007. Lecture Notes in Computer Science, vol. 4575 (Springer, Berlin, 2007), pp. 177–196
[80]
M. Scott, P.S.L.M. Barreto, Compressed pairings, in Advances in Cryptology—Crypto 2004. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 140–156
[81]
M. Scott, P.S.L.M. Barreto, Generating more MNT elliptic curves. Des. Codes Cryptogr.
38, 209–217 (2006)
MATHCrossRefMathSciNet
[82]
J. Silverman, The Arithmetic of Elliptic Curves (Springer, Berlin, 1986)
MATH
[83]
A. Sutherland, Computing Hilbert class polynomials with the Chinese remainder theorem. Preprint, 2009. Available at http://arxiv.org/abs/0903.2785
[84]
S. Tanaka, K. Nakamula, Constructing pairingfriendly elliptic curves using factorization of cyclotomic polynomials, in PairingBased Cryptography—Pairing 2008. Lecture Notes in Computer Science, vol. 5209 (Springer, Berlin, 2008), pp. 136–145
CrossRef
[85]
J. Tate, Endomorphisms of abelian varieties over finite fields. Invent. Math.
2, 134–144 (1966)
MATHCrossRefMathSciNet
[86]
[87]
E. Verheul, Evidence that XTR is more secure than supersingular elliptic curve cryptosystems. J. Cryptol.
17, 277–296 (2004)
MATHCrossRefMathSciNet
[88]
W. Waterhouse, Abelian varieties over finite fields. Ann. Sci. École Norm. Sup. (IV)
2, 521–560 (1969)
MATHMathSciNet
 Title
 A Taxonomy of PairingFriendly Elliptic Curves
 Open Access
 Available under Open Access This content is freely available online to anyone, anywhere at any time.
 Journal

Journal of Cryptology
Volume 23, Issue 2 , pp 224280
 Cover Date
 20100401
 DOI
 10.1007/s001450099048z
 Print ISSN
 09332790
 Online ISSN
 14321378
 Publisher
 SpringerVerlag
 Additional Links
 Topics
 Keywords

 Elliptic curves
 Pairingbased cryptosystems
 Embedding degree
 Efficient implementation
 Industry Sectors
 Authors

 David Freeman ^{(1)}
 Michael Scott ^{(2)}
 Edlyn Teske ^{(3)}
 Author Affiliations

 1. CWI and Universiteit Leiden, Science Park 123, 1098 XG, Amsterdam, The Netherlands
 2. School of Computer Applications, Dublin City University, Ballymun, Dublin 9, Ireland
 3. Dept. of Combinatorics and Optimization, University of Waterloo, Waterloo, Ontario, N2L 3G1, Canada