[1]

A.O.L. Atkin, F. Morain, Elliptic curves and primality proving.

*Math. Comput.*
**61**, 29–68 (1993)

MATHCrossRefMathSciNet[2]

D. Bailey, C. Paar, Efficient arithmetic in finite field extensions with application in elliptic curve cryptography.

*J. Cryptol.*
**14**, 153–176 (2001)

MATHMathSciNet[3]

R. Balasubramanian, N. Koblitz, The improbability that an elliptic curve has subexponential discrete log problem under the Menezes–Okamoto–Vanstone algorithm.

*J. Cryptol.*
**11**, 141–145 (1998)

MATHCrossRefMathSciNet[4]

P.S.L.M. Barreto, M. Naehrig, Pairing-friendly elliptic curves of prime order, in

*Selected Areas in Cryptography—SAC 2005*. Lecture Notes in Computer Science, vol. 3897 (Springer, Berlin, 2006), pp. 319–331

CrossRef[5]

P.S.L.M. Barreto, B. Lynn, M. Scott, Constructing elliptic curves with prescribed embedding degrees, in *Security in Communication Networks—SCN 2002*. Lecture Notes in Computer Science, vol. 2576 (Springer, Berlin, 2002), pp. 263–273

[6]

P.S.L.M. Barreto, H.Y. Kim, B. Lynn, M. Scott, Efficient algorithms for pairing-based cryptosystems, in

*Advances in Cryptology—Crypto 2002*. Lecture Notes in Computer Science, vol. 2442 (Springer, Berlin, 2002), pp. 354–368

CrossRef[7]

P.S.L.M. Barreto, B. Lynn, M. Scott, On the selection of pairing-friendly groups, in *Selected Areas in Cryptography—SAC 2003*. Lecture Notes in Computer Science, vol. 3006 (Springer, Berlin, 2003), pp. 17–25

[8]

P.S.L.M. Barreto, S. Galbraith, C. O’hEigeartaigh, M. Scott, Efficient pairing computation on supersingular abelian varieties.

*Des. Codes Cryptogr.*
**42**, 239–271 (2007)

MATHCrossRefMathSciNet[9]

P. Bateman, R. Horn, A heuristic asymptotic formula concerning the distribution of prime numbers.

*Math. Comput.*
**16**, 363–367 (1962)

MATHCrossRefMathSciNet[10]

N. Benger, M. Charlemagne, D. Freeman, On the security of pairing-friendly abelian varieties over non-prime fields, in

*Pairing-Based Cryptography—Pairing 2009*, to appear. Preprint available at:

http://eprint.iacr.org/2008/417/
[11]

I.F. Blake, G. Seroussi, N.P. Smart (eds.),

*Advances in Elliptic Curve Cryptography* (Cambridge University Press, Cambridge, 2005)

MATH[12]

D. Boneh, M. Franklin, Identity-based encryption from the Weil pairing, in

*Advances in Cryptology—Crypto 2001*. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 213–229. Full version:

*SIAM J. Comput.*
**32**(3), 586–615 (2003)

CrossRef[13]

D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing, in

*Advances in Cryptology—Asiacrypt 2001*. Lecture Notes in Computer Science, vol. 2248 (Springer, Berlin, 2002), pp. 514–532. Full version:

*J. Cryptol.*
**17**, 297–319 (2004)

CrossRef[14]

D. Boneh, E.-J. Goh, K. Nissim, Evaluating 2-DNF formulas on ciphertexts, in *Theory of Cryptography Conference—TCC 2005*. Lecture Notes in Computer Science, vol. 3378 (Springer, Berlin, 2005), pp. 325–341

[15]

W. Bosma, J. Cannon, C. Playoust, The Magma algebra system. I. The user language.

*J. Symb. Comput.*
**24**(3–4), 235–265 (1997)

MATHCrossRefMathSciNet[16]

A. Bostan, F. Morain, B. Salvy, É. Schost, Fast algorithms for computing isogenies between elliptic curves.

*Math. Comput.*
**77**, 1755–1778 (2008)

CrossRefMathSciNet[17]

F. Brezing, A. Weng, Elliptic curves suitable for pairing based cryptography.

*Des. Codes Cryptogr.*
**37**, 133–141 (2005)

MATHCrossRefMathSciNet[18]

R. Bröker, Constructing elliptic curves of prescribed order. Ph.D. thesis, Dept. of Mathematics, Leiden University, 2006. Available at:

http://www.math.leidenuniv.nl/~reinier/thesis.pdf
[19]

J.C. Cha, J.H. Cheon, An identity-based signature from gap Diffie–Hellman groups, in *Public-Key Cryptography—PKC 2003*. Lecture Notes in Computer Science, vol. 2567 (Springer, Berlin, 2003), pp. 18–30

[20]

D. Charles, On the existence of distortion maps on ordinary elliptic curves, Cryptology ePrint Archive Report 2006/128. Available at:

http://eprint.iacr.org/2006/128/
[21]

L. Chen, Z. Cheng, N. Smart, Identity-based key agreement protocols from pairings.

*Int. J. Inf. Secur.*
**6**, 213–241 (2007)

CrossRef[22]

C. Cocks, R.G.E. Pinch, Identity-based cryptosystems based on the Weil pairing. Unpublished manuscript, 2001

[23]

A. Comuta, M. Kawazoe, T. Takahashi, Pairing-friendly elliptic curves with small security loss by Cheon’s algorithm, in

*Information Security and Cryptography—ICISC 2007*. Lecture Notes in Computer Science, vol. 4817 (Springer, Berlin, 2007), pp. 297–308

CrossRef[24]

D. Coppersmith, Fast evaluation of logarithms in fields of characteristic two.

*IEEE Trans. Inf. Theory*
**30**, 587–594 (1984)

MATHCrossRefMathSciNet[25]

G. Cornell, J. Silverman (eds.),

*Arithmetic Geometry* (Springer, New York, 1986)

MATH[26]

P. Duan, S. Cui, C.W. Chan, Effective polynomial families for generating more pairing-friendly elliptic curves, Cryptology ePrint Archive Report 2005/236. Available at:

http://eprint.iacr.org/2005/236/
[27]

R. Dupont, A. Enge, F. Morain, Building curves with arbitrary small MOV degree over finite prime fields.

*J. Cryptol.*
**18**, 79–89 (2005)

MATHCrossRefMathSciNet[28]

I. Duursma, P. Gaudry, F. Morain, Speeding up the discrete log computation on curves with automorphisms, in *Advances in Cryptology—Asiacrypt 1999*. Lecture Notes in Computer Science, vol. 1716 (Springer, Berlin, 1999), pp. 103–121

[29]

A. Enge, The complexity of class polynomial computation via floating point approximations.

*Math. Comput.*
**78**, 1089–1107 (2009)

MathSciNet[30]

D. Freeman, Constructing pairing-friendly elliptic curves with embedding degree 10, in

*Algorithmic Number Theory Symposium—ANTS-VII*. Lecture Notes in Computer Science, vol. 4076 (Springer, Berlin, 2006), pp. 452–465

CrossRef[31]

D. Freeman, Constructing pairing-friendly genus 2 curves with ordinary Jacobians, in

*Pairing-Based Cryptography—Pairing 2007*. Lecture Notes in Computer Science, vol. 4575 (Springer, Berlin, 2007), pp. 152–176

CrossRef[32]

D. Freeman, A generalized Brezing–Weng method for constructing pairing-friendly ordinary abelian varieties, in

*Pairing-Based Cryptography—Pairing 2008*. Lecture Notes in Computer Science, vol. 5209 (Springer, Berlin, 2008), pp. 146–163

CrossRef[33]

D. Freeman, P. Stevenhagen, M. Streng, Abelian varieties with prescribed embedding degree, in

*Algorithmic Number Theory Symposium—ANTS-VIII*. Lecture Notes in Computer Science, vol. 5011 (Springer, Berlin, 2008), pp. 60–73

CrossRef[34]

G. Frey, H. Rück, A remark concerning

*m*-divisibility and the discrete logarithm in the divisor class group of curves.

*Math. Comput.*
**62**, 865–874 (1994)

MATHCrossRef[35]

S. Galbraith, V. Rotger, Easy decision Diffie–Hellman groups.

*LMS J. Comput. Math.*
**7**, 201–218 (2004)

MATHMathSciNet[36]

S. Galbraith, J. McKee, P. Valença, Ordinary abelian varieties having small embedding degree.

*Finite Fields Appl.*
**13**, 800–814 (2007)

MATHCrossRefMathSciNet[37]

S. Galbraith, K. Paterson, N. Smart, Pairings for cryptographers.

*Discrete Appl. Math.*
**15**, 3113–3121 (2008)

CrossRefMathSciNet[38]

R. Gallant, R.J. Lambert, S.A. Vanstone, Faster point multiplication on elliptic curves with efficient endomorphisms, in

*Advances in Cryptology—Crypto 2001*. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 190–200

CrossRef[39]

R. Granger, D. Page, N. Smart, High security pairing-based cryptography revisited, in

*Algorithmic Number Theory Symposium ANTS-VII*. Lecture Notes in Computer Science, vol. 4076 (Springer, Berlin, 2006), pp. 480–494

CrossRef[40]

K. Harrison, D. Page, N.P. Smart, Software implementation of finite fields of characteristic three, for use in pairing-based cryptosystems.

*LMS J. Comput. Math.*
**5**, 181–193 (2002)

MATHMathSciNet[41]

F. Hess, Pairing lattices, in

*Pairing-Based Cryptography—Pairing 2008*. Lecture Notes in Computer Science, vol. 5209 (Springer, Berlin, 2008), pp. 18–38

CrossRef[42]

F. Hess, N. Smart, F. Vercauteren, The Eta pairing revisited.

*IEEE Trans. Inf. Theory*
**52**, 4595–4602 (2006)

CrossRefMathSciNet[43]

L. Hitt, On the minimal embedding field, in

*Pairing-Based Cryptography—Pairing 2007*. Lecture Notes in Computer Science, vol. 4575 (Springer, Berlin, 2007), pp. 294–301

CrossRef[44]

A. Joux, A one round protocol for tripartite Diffie–Hellman, in

*Algorithmic Number Theory Symposium—ANTS-IV*. Lecture Notes in Computer Science, vol. 1838 (Springer, Berlin, 2000), pp. 385–393. Full version:

*J. Cryptol.*
**17**, 263–276 (2004)

CrossRef[45]

A. Joux, K. Nguyen, Separating decision Diffie–Hellman from computational Diffie–Hellman in cryptographic groups.

*J. Cryptol.*
**16**, 239–247 (2003)

MATHCrossRefMathSciNet[46]

E. Kachisa, Constructing Brezing–Weng pairing friendly elliptic curves using elements in the cyclotomic field. M.Sc. dissertation, Mzuzu University, 2007

[47]

E. Kachisa, E. Schaefer, M. Scott, Constructing Brezing–Weng pairing friendly elliptic curves using elements in the cyclotomic field, in

*Pairing-Based Cryptography—Pairing 2008*. Lecture Notes in Computer Science, vol. 5209 (Springer, Berlin, 2008), pp. 126–135

CrossRef[48]

K. Karabina, On prime-order elliptic curves with embedding degrees 3, 4 and 6. M.Math. thesis, Univ. of Waterloo, Dept. of Combinatorics and Optimization, 2006

[49]

K. Karabina, E. Teske, On prime-order elliptic curves with embedding degrees 3, 4 and 6, in

*Algorithmic Number Theory Symposium—ANTS-VIII*. Lecture Notes in Computer Science, vol. 5011 (Springer, Berlin, 2008), pp. 102–117

CrossRef[50]

N. Koblitz, Good and bad uses of elliptic curves in cryptography.

*Mosc. Math. J.*
**2**, 693–715 (2002) 805–806

MATHMathSciNet[51]

N. Koblitz, A. Menezes, Pairing-based cryptography at high security levels, in *Proceedings of Cryptography and Coding: 10th IMA International Conference*. Lecture Notes in Computer Science, vol. 3796 (Springer, Berlin, 2005), pp. 13–36

[52]

S. Lang,

*Elliptic Functions* (Springer, Berlin, 1987)

MATH[53]

S. Lang,

*Algebra*, revised 3rd edn. (Springer, Berlin, 2002)

MATH[54]

A.K. Lenstra, Unbelievable security: Matching AES security using public key systems, in

*Advances in Cryptology—Asiacrypt 2001*. Lecture Notes in Computer Science, vol. 2248 (Springer, Berlin, 2001), pp. 67–86

CrossRef[55]

R. Lidl, H. Niederreiter, *Finite Fields* (Cambridge University Press, Cambridge, 1997)

[56]

F. Luca, I. Shparlinski, Elliptic curves with low embedding degree.

*J. Cryptol.*
**19**, 553–562 (2006)

MATHCrossRefMathSciNet[57]

F. Luca, D. Mireles, I. Shparlinski, MOV attack in various subgroups on elliptic curves.

*Ill. J. Math.*
**48**, 1041–1052 (2004)

MATHMathSciNet[58]

K. Matthews, The Diophantine equation

*x*
^{2}−

*Dy*
^{2}=

*N*,

*D*>0.

*Expo. Math.*
**18**, 323–331 (2000)

MATHMathSciNet[59]

A. Menezes,

*Elliptic Curve Public Key Cryptosystems* (Kluwer Academic, Dordrecht, 1993)

MATH[60]

A. Menezes, An introduction to pairing-based cryptography. Notes from lectures given in Santander, Spain, 2005. Available at:

http://www.cacr.math.uwaterloo.ca/~ajmeneze/publications/pairings.pdf
[61]

A. Menezes, S. Vanstone, Isomorphism classes of elliptic curves over finite fields of characteristic 2.

*Util. Math.*
**38**, 135–153 (1990)

MATHMathSciNet[62]

A. Menezes, T. Okamoto, S. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field.

*IEEE Trans. Inf. Theory*
**39**, 1639–1646 (1993)

MATHCrossRefMathSciNet[63]

V. Miller, The Weil pairing, and its efficient calculation.

*J. Cryptol.*
**17**, 235–261 (2004)

MATHCrossRef[64]

A. Miyaji, M. Nakabayashi, S. Takano, New explicit conditions of elliptic curve traces for FR-reduction. *IEICE Trans. Fundam.*
**E84-A**(5), 1234–1243 (2001)

[65]

F. Morain, Classes d’isomorphismes des courbes elliptiques supersingulières en caracteristique ≥3.

*Util. Math.*
**52**, 241–253 (1997)

MATHMathSciNet[66]

A. Murphy, N. Fitzpatrick, Elliptic curves for pairing applications, Cryptology ePrint Archive Report 2005/302. Available at:

http://eprint.iacr.org/2005/302
[67]

M. Naehrig, P.S.L.M. Barreto, P. Schwabe, On compressible pairings and their computation, in

*Progress in Cryptology—Africacrypt 2008*. Lecture Notes in Computer Science, vol. 5023 (Springer, Berlin, 2008), pp. 371–388

CrossRef[68]

A. Odlyzko, Discrete logarithms in finite fields and their cryptographic significance, in *Advances in Cryptology—Eurocrypt 1984*. Lecture Notes in Computer Science, vol. 209 (Springer, Berlin, 1985), pp. 224–314

[69]

D. Page, N. Smart, F. Vercauteren, A comparison of MNT curves and supersingular curves.

*Appl. Algebra Eng., Commun. Comput.*
**17**, 379–392 (2006)

MATHCrossRefMathSciNet[70]

K. Paterson, ID-based signatures from pairings on elliptic curves.

*Electron. Lett.*
**38**, 1025–1026 (2002)

CrossRef[71]

S. Pohlig, M. Hellman, An improved algorithm for computing discrete logarithms over

*GF*(

*p*) and its cryptographic significance.

*IEEE Trans. Inf. Theory*
**24**, 106–110 (1978)

MATHCrossRefMathSciNet[72]

J. Pollard, Monte Carlo methods for index computation (mod

*p*).

*Math. Comput.*
**32**, 918–924 (1978)

MATHCrossRefMathSciNet[73]

J. Robertson, Solving the generalized Pell equation

*x*
^{2}−

*Dy*
^{2}=

*N*. Unpublished manuscript, 2004. Available at:

http://hometown.aol.com/jpr2718/pell.pdf
[74]

K. Rubin, A. Silverberg, Finding composite order ordinary elliptic curves using the Cocks–Pinch method, in preparation

[75]

R. Sakai, K. Ohgishi, M. Kasahara, Cryptosystems based on pairings, in *2000 Symposium on Cryptography and Information Security—SCIS 2000*, Okinawa, Japan, 2000

[76]

E. Schaefer, A new proof for the non-degeneracy of the Frey–Rück pairing and a connection to isogenies over the base field, in

*Computational Aspects of Algebraic Curves*. Lecture Notes Ser. Comput., vol. 13 (World Scientific, Singapore, 2005), pp. 1–12

CrossRef[77]

O. Schirokauer, The number field sieve for integers of low weight.

*Math. Comput.* to appear. Preprint available at:

http://eprint.iacr.org/2006/107/
[78]

M. Scott, Computing the Tate pairing, in *Topics in Cryptology—CT-RSA 2005*. Lecture Notes in Computer Science, vol. 3376 (Springer, Berlin, 2005), pp. 293–304

[79]

M. Scott, Implementing cryptographic pairings, in *Pairing-Based Cryptography—Pairing 2007*. Lecture Notes in Computer Science, vol. 4575 (Springer, Berlin, 2007), pp. 177–196

[80]

M. Scott, P.S.L.M. Barreto, Compressed pairings, in *Advances in Cryptology—Crypto 2004*. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 140–156

[81]

M. Scott, P.S.L.M. Barreto, Generating more MNT elliptic curves.

*Des. Codes Cryptogr.*
**38**, 209–217 (2006)

MATHCrossRefMathSciNet[82]

J. Silverman,

*The Arithmetic of Elliptic Curves* (Springer, Berlin, 1986)

MATH[83]

A. Sutherland, Computing Hilbert class polynomials with the Chinese remainder theorem. Preprint, 2009. Available at

http://arxiv.org/abs/0903.2785
[84]

S. Tanaka, K. Nakamula, Constructing pairing-friendly elliptic curves using factorization of cyclotomic polynomials, in

*Pairing-Based Cryptography—Pairing 2008*. Lecture Notes in Computer Science, vol. 5209 (Springer, Berlin, 2008), pp. 136–145

CrossRef[85]

J. Tate, Endomorphisms of abelian varieties over finite fields.

*Invent. Math.*
**2**, 134–144 (1966)

MATHCrossRefMathSciNet[86]

P.C. van Oorschot, M.J. Wiener, Parallel collision search with cryptanalytic applications.

*J. Cryptol.*
**12**, 1–18 (1999)

MATHCrossRef[87]

E. Verheul, Evidence that XTR is more secure than supersingular elliptic curve cryptosystems.

*J. Cryptol.*
**17**, 277–296 (2004)

MATHCrossRefMathSciNet[88]

W. Waterhouse, Abelian varieties over finite fields.

*Ann. Sci. École Norm. Sup. (IV)*
**2**, 521–560 (1969)

MATHMathSciNet