Advertisement

Journal of Cryptology

, Volume 23, Issue 3, pp 477–503 | Cite as

On the Efficient Generation of Prime-Order Elliptic Curves

  • Elisavet Konstantinou
  • Aristides Kontogeorgis
  • Yannis C Stamatiou
  • Christos Zaroliagis
Article

Abstract

We consider the generation of prime-order elliptic curves (ECs) over a prime field \(\mathbb{F}_{p}\) using the Complex Multiplication (CM) method. A crucial step of this method is to compute the roots of a special type of class field polynomials with the most commonly used being the Hilbert and Weber ones. These polynomials are uniquely determined by the CM discriminant D. In this paper, we consider a variant of the CM method for constructing elliptic curves (ECs) of prime order using Weber polynomials. In attempting to construct prime-order ECs using Weber polynomials, two difficulties arise (in addition to the necessary transformations of the roots of such polynomials to those of their Hilbert counterparts). The first one is that the requirement of prime order necessitates that D≡3mod8), which gives Weber polynomials with degree three times larger than the degree of their corresponding Hilbert polynomials (a fact that could affect efficiency). The second difficulty is that these Weber polynomials do not have roots in \(\mathbb{F}_{p}\) .

In this work, we show how to overcome the above difficulties and provide efficient methods for generating ECs of prime order focusing on their support by a thorough experimental study. In particular, we show that such Weber polynomials have roots in the extension field \(\mathbb{F}_{p^{3}}\) and present a set of transformations for mapping roots of Weber polynomials in \(\mathbb{F}_{p^{3}}\) to roots of their corresponding Hilbert polynomials in \(\mathbb{F}_{p}\) . We also show how an alternative class of polynomials, with degree equal to their corresponding Hilbert counterparts (and hence having roots in \(\mathbb{F}_{p}\) ), can be used in the CM method to generate prime-order ECs. We conduct an extensive experimental study comparing the efficiency of using this alternative class against the use of the aforementioned Weber polynomials. Finally, we investigate the time efficiency of the CM variant under four different implementations of a crucial step of the variant and demonstrate the superiority of two of them.

Keywords

Public key cryptography Elliptic curve cryptosystems Complex multiplication Weber polynomials Prime order 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    A.O.L. Atkin, F. Morain, Elliptic curves and primality proving. Math. Comput. 61, 29–67 (1993) zbMATHCrossRefMathSciNetGoogle Scholar
  2. [2]
    H. Baier, Elliptic curves of prime order over optimal extension fields for use in cryptography, in Progress in Cryptology—INDOCRYPT 2001. Lecture Notes in Computer Science, vol. 2247 (Springer, Berlin, 2001), pp. 99–107 CrossRefGoogle Scholar
  3. [3]
    H. Baier, Efficient algorithms for generating elliptic curves over finite fields suitable for use in cryptography. PhD Thesis, Dept. of Computer Science, Technical Univ. of Darmstadt, May 2002 Google Scholar
  4. [4]
    H. Baier, J. Buchmann, Efficient construction of cryptographically strong elliptic curves, in Progress in Cryptology—INDOCRYPT 2000. Lecture Notes in Computer Science, vol. 1977 (Springer, Berlin, 2000), pp. 191–202 Google Scholar
  5. [5]
    E.R. Berlekamp, Factoring polynomials over large finite fields. Math. Comput. 24, 713–735 (1970) CrossRefMathSciNetGoogle Scholar
  6. [6]
    I. Blake, G. Seroussi, N. Smart, Elliptic Curves in Cryptography. London Mathematical Society Lecture Note Series, vol. 265 (Cambridge University Press, Cambridge, 1999) zbMATHGoogle Scholar
  7. [7]
    D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing, in ASIACRYPT 2001. Lecture Notes in Computer Science, vol. 2248 (Springer, Berlin, 2001), pp. 514–532 CrossRefGoogle Scholar
  8. [8]
    H. Cohen, A Course in Computational Algebraic Number Theory. Graduate Texts in Mathematics, vol. 138 (Springer, Berlin, 1993) zbMATHGoogle Scholar
  9. [9]
    G. Cornacchia, Su di un metodo per la risoluzione in numeri interi dell’ equazione ∑h=0n C h x nh y h=P. G. Mat. Battaglini 46, 33–90 (1908) Google Scholar
  10. [10]
    D.A. Cox, Primes of the Form x 2+ny 2 (Wiley, New York, 1989) Google Scholar
  11. [11]
    A. Enge, F. Morain, Comparing invariants for class fields of imaginary quadratic fields, in Algebraic Number Theory—ANTS V. Lecture Notes in Computer Science, vol. 2369 (Springer, Berlin, 2002), pp. 252–266 Google Scholar
  12. [12]
    A. Enge, R. Schertz, Constructing elliptic curves from modular curves of positive genus. Preprint (2003) Google Scholar
  13. [13]
    A. Enge, R. Schertz, Modular curves of composite level. Acta Arith. 118(2), 129–141 (2005) zbMATHCrossRefMathSciNetGoogle Scholar
  14. [14]
    G. Frey, H.G. Rück, A remark concerning m-divisibility and the discrete logarithm problem in the divisor class group of curves. Math. Comput. 62, 865–874 (1994) zbMATHCrossRefGoogle Scholar
  15. [15]
    S. Galbraith, J. McKee, The probability that the number of points on an elliptic curve over a finite field is prime. J. Lond. Math. Soc. 62(3), 671–684 (2000) zbMATHCrossRefMathSciNetGoogle Scholar
  16. [16]
    GNU multiple precision library, edition 3.1.1, September 2000. Available at: http://www.swox.com/gmp
  17. [17]
    IEEE P1363/D13, Standard Specifications for Public-Key Cryptography, 1999. http://grouper.ieee.org/groups/1363/tradPK/draft.html
  18. [18]
    E. Kaltofen, N. Yui, Explicit construction of the Hilbert class fields of imaginary quadratic fields by integer lattice reduction. Research Report 89-13, Rensselaer Polytechnic Institute, May 1989 Google Scholar
  19. [19]
    E. Kaltofen, T. Valente, N. Yui, An improved Las Vegas primality test, in Proc. ACM-SIGSAM 1989 International Symposium on Symbolic and Algebraic Computation (1989), pp. 26–33 Google Scholar
  20. [20]
    E. Konstantinou, Y. Stamatiou, C. Zaroliagis, A software library for elliptic curve cryptography, in Proc. 10th European Symposium on Algorithms—ESA 2002 (Engineering and Applications Track). Lecture Notes in Computer Science, vol. 2461 (Springer, Berlin, 2002), pp. 625–637 Google Scholar
  21. [21]
    E. Konstantinou, Y. Stamatiou, C. Zaroliagis, On the efficient generation of elliptic curves over prime fields, in Cryptographic Hardware and Embedded Systems—CHES 2002. Lecture Notes in Computer Science, vol. 2523 (Springer, Berlin, 2002), pp. 333–348 CrossRefGoogle Scholar
  22. [22]
    E. Konstantinou, Y.C. Stamatiou, C. Zaroliagis, On the construction of prime order elliptic curves, in Progress in Cryptology—INDOCRYPT 2003. Lecture Notes in Computer Science, vol. 2904 (Springer, Berlin, 2003), pp. 309–322 Google Scholar
  23. [23]
    E. Konstantinou, A. Kontogeorgis, Y. Stamatiou, C. Zaroliagis, Generating prime order elliptic curves: difficulties and efficiency considerations, in International Conference on Information Security and Cryptology—ICISC 2004. Lecture Notes in Computer Science, vol. 3506 (Springer, Berlin, 2005), pp. 261–278 Google Scholar
  24. [24]
    G.J. Lay, H. Zimmer, Constructing elliptic curves with given group order over large finite fields, in Algorithmic Number Theory—ANTS-I. Lecture Notes in Computer Science, vol. 877 (Springer, Berlin, 1994), pp. 250–263 Google Scholar
  25. [25]
    LiDIA. A library for computational number theory. Technical University of Darmstadt. Available from http://www.informatik.tu-darmstadt.de/TI/LiDIA/Welcome.html
  26. [26]
    A.J. Menezes, T. Okamoto, S.A. Vanstone, Reducing elliptic curve logarithms to a finite field. IEEE Trans. Inf. Theory 39, 1639–1646 (1993) zbMATHCrossRefMathSciNetGoogle Scholar
  27. [27]
    A. Miyaji, M. Nakabayashi, S. Takano, Characterization of elliptic curve traces under FR-reduction, in International Conference on Information Security and Cryptology—ICISC 2000. Lecture Notes in Computer Science, vol. 2015 (Springer, Berlin, 2001), pp. 90–108 Google Scholar
  28. [28]
    A. Miyaji, M. Nakabayashi, S. Takano, New explicit conditions of elliptic curve traces for FR-reduction. IEICE Trans. Fundam. E84-A(5), 1234–1243 (2001) Google Scholar
  29. [29]
    F. Morain, Modular curves and class invariants. Preprint, June 2000 Google Scholar
  30. [30]
    F. Morain, Computing the cardinality of CM elliptic curves using torsion points. Preprint, October 2002 Google Scholar
  31. [31]
    Y. Nogami, Y. Morikawa, Fast generation of elliptic curves with prime order over \(F_{p^{2^{c}}}\!\) , in Proc. of the International workshop on Coding and Cryptography, March 2003 Google Scholar
  32. [32]
    G.C. Pohlig, M.E. Hellman, An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Trans. Inf. Theory 24, 106–110 (1978) zbMATHCrossRefMathSciNetGoogle Scholar
  33. [33]
    T. Satoh, K. Araki, Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves. Comment. Math. Univ. St. Pauli 47, 81–91 (1998) zbMATHMathSciNetGoogle Scholar
  34. [34]
    E. Savaş, T.A. Schmidt, Ç.K. Koç, Generating elliptic curves of prime order, in Cryptographic Hardware and Embedded Systems—CHES 2001. Lecture Notes in Computer Science, vol. 2162 (Springer, Berlin, 2001), pp. 145–161 Google Scholar
  35. [35]
    R. Schertz, Weber’s class invariants revisited. J. Théor. Nr. Bordx. 4, 325–343 (2002) MathSciNetGoogle Scholar
  36. [36]
    R. Schoof, Counting points on elliptic curves over finite fields. J. Théor. Nr. Bordx. 7, 219–254 (1995) zbMATHMathSciNetGoogle Scholar
  37. [37]
    M. Scott, P.S.L.M. Barreto, Generating more MNT elliptic curves, Cryptology ePrint Archive, Report 2004/058 (2004) Google Scholar
  38. [38]
    J.H. Silverman, The Arithmetic of Elliptic Curves (Springer, Berlin, 1986). GTM 106 zbMATHGoogle Scholar
  39. [39]
    I. Stewart, Galois Theory, 3rd edn. (Chapman & Hall/CRC, Boca Raton, 2004) zbMATHGoogle Scholar
  40. [40]
    I. Stewart, D. Tall, Algebraic Number Theory, 2nd edn. (Chapman & Hall, London, 1987) zbMATHGoogle Scholar
  41. [41]
    T. Valente, A distributed approach to proving large numbers prime. Rensselaer Polytechnic Institute Troy, New York, PhD Thesis, August 1992 Google Scholar

Copyright information

© International Association for Cryptologic Research 2009

Authors and Affiliations

  • Elisavet Konstantinou
    • 1
    • 2
  • Aristides Kontogeorgis
    • 3
  • Yannis C Stamatiou
    • 4
  • Christos Zaroliagis
    • 5
  1. 1.Department of Information and Communication Systems EngineeringUniversity of the AegeanSamosGreece
  2. 2.Computer Technology InstitutePatrasGreece
  3. 3.Department of MathematicsUniversity of the AegeanSamosGreece
  4. 4.Department of MathematicsUniversity of IoanninaIoanninaGreece
  5. 5.Department of Computer Engineering and InformaticsUniversity of PatrasPatrasGreece

Personalised recommendations