# On the Efficient Generation of Prime-Order Elliptic Curves

- 198 Downloads
- 1 Citations

## Abstract

We consider the generation of prime-order elliptic curves (ECs) over a prime field
\(\mathbb{F}_{p}\)
using the Complex Multiplication (CM) method. A crucial step of this method is to compute the roots of a special type of class field polynomials with the most commonly used being the Hilbert and Weber ones. These polynomials are uniquely determined by the CM discriminant *D*. In this paper, we consider a variant of the CM method for constructing elliptic curves (ECs) of prime order using Weber polynomials. In attempting to construct prime-order ECs using Weber polynomials, two difficulties arise (in addition to the necessary transformations of the roots of such polynomials to those of their Hilbert counterparts). The first one is that the requirement of prime order necessitates that *D*≡3mod8), which gives Weber polynomials with degree three times larger than the degree of their corresponding Hilbert polynomials (a fact that could affect efficiency). The second difficulty is that these Weber polynomials do not have roots in
\(\mathbb{F}_{p}\)
.

In this work, we show how to overcome the above difficulties and provide efficient methods for generating ECs of prime order focusing on their support by a thorough experimental study. In particular, we show that such Weber polynomials have roots in the extension field \(\mathbb{F}_{p^{3}}\) and present a set of transformations for mapping roots of Weber polynomials in \(\mathbb{F}_{p^{3}}\) to roots of their corresponding Hilbert polynomials in \(\mathbb{F}_{p}\) . We also show how an alternative class of polynomials, with degree equal to their corresponding Hilbert counterparts (and hence having roots in \(\mathbb{F}_{p}\) ), can be used in the CM method to generate prime-order ECs. We conduct an extensive experimental study comparing the efficiency of using this alternative class against the use of the aforementioned Weber polynomials. Finally, we investigate the time efficiency of the CM variant under four different implementations of a crucial step of the variant and demonstrate the superiority of two of them.

## Keywords

Public key cryptography Elliptic curve cryptosystems Complex multiplication Weber polynomials Prime order## Preview

Unable to display preview. Download preview PDF.

## References

- [1]A.O.L. Atkin, F. Morain, Elliptic curves and primality proving.
*Math. Comput.***61**, 29–67 (1993) zbMATHCrossRefMathSciNetGoogle Scholar - [2]H. Baier, Elliptic curves of prime order over optimal extension fields for use in cryptography, in
*Progress in Cryptology—INDOCRYPT 2001*. Lecture Notes in Computer Science, vol. 2247 (Springer, Berlin, 2001), pp. 99–107 CrossRefGoogle Scholar - [3]H. Baier, Efficient algorithms for generating elliptic curves over finite fields suitable for use in cryptography. PhD Thesis, Dept. of Computer Science, Technical Univ. of Darmstadt, May 2002 Google Scholar
- [4]H. Baier, J. Buchmann, Efficient construction of cryptographically strong elliptic curves, in
*Progress in Cryptology—INDOCRYPT 2000*. Lecture Notes in Computer Science, vol. 1977 (Springer, Berlin, 2000), pp. 191–202 Google Scholar - [5]E.R. Berlekamp, Factoring polynomials over large finite fields.
*Math. Comput.***24**, 713–735 (1970) CrossRefMathSciNetGoogle Scholar - [6]I. Blake, G. Seroussi, N. Smart,
*Elliptic Curves in Cryptography*. London Mathematical Society Lecture Note Series, vol. 265 (Cambridge University Press, Cambridge, 1999) zbMATHGoogle Scholar - [7]D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing, in
*ASIACRYPT 2001*. Lecture Notes in Computer Science, vol. 2248 (Springer, Berlin, 2001), pp. 514–532 CrossRefGoogle Scholar - [8]H. Cohen,
*A Course in Computational Algebraic Number Theory*. Graduate Texts in Mathematics, vol. 138 (Springer, Berlin, 1993) zbMATHGoogle Scholar - [9]G. Cornacchia, Su di un metodo per la risoluzione in numeri interi dell’ equazione ∑
_{h=0}^{n}*C*_{h}*x*^{n−h}*y*^{h}=*P*.*G. Mat. Battaglini***46**, 33–90 (1908) Google Scholar - [10]
- [11]A. Enge, F. Morain, Comparing invariants for class fields of imaginary quadratic fields, in
*Algebraic Number Theory—ANTS V*. Lecture Notes in Computer Science, vol. 2369 (Springer, Berlin, 2002), pp. 252–266 Google Scholar - [12]A. Enge, R. Schertz, Constructing elliptic curves from modular curves of positive genus. Preprint (2003) Google Scholar
- [13]A. Enge, R. Schertz, Modular curves of composite level.
*Acta Arith.***118**(2), 129–141 (2005) zbMATHCrossRefMathSciNetGoogle Scholar - [14]G. Frey, H.G. Rück, A remark concerning
*m*-divisibility and the discrete logarithm problem in the divisor class group of curves.*Math. Comput.***62**, 865–874 (1994) zbMATHCrossRefGoogle Scholar - [15]S. Galbraith, J. McKee, The probability that the number of points on an elliptic curve over a finite field is prime.
*J. Lond. Math. Soc.***62**(3), 671–684 (2000) zbMATHCrossRefMathSciNetGoogle Scholar - [16]GNU multiple precision library, edition 3.1.1, September 2000. Available at: http://www.swox.com/gmp
- [17]IEEE P1363/D13, Standard Specifications for Public-Key Cryptography, 1999. http://grouper.ieee.org/groups/1363/tradPK/draft.html
- [18]E. Kaltofen, N. Yui, Explicit construction of the Hilbert class fields of imaginary quadratic fields by integer lattice reduction. Research Report 89-13, Rensselaer Polytechnic Institute, May 1989 Google Scholar
- [19]E. Kaltofen, T. Valente, N. Yui, An improved Las Vegas primality test, in
*Proc. ACM-SIGSAM 1989 International Symposium on Symbolic and Algebraic Computation*(1989), pp. 26–33 Google Scholar - [20]E. Konstantinou, Y. Stamatiou, C. Zaroliagis, A software library for elliptic curve cryptography, in
*Proc. 10th European Symposium on Algorithms—ESA 2002 (Engineering and Applications Track)*. Lecture Notes in Computer Science, vol. 2461 (Springer, Berlin, 2002), pp. 625–637 Google Scholar - [21]E. Konstantinou, Y. Stamatiou, C. Zaroliagis, On the efficient generation of elliptic curves over prime fields, in
*Cryptographic Hardware and Embedded Systems—CHES 2002*. Lecture Notes in Computer Science, vol. 2523 (Springer, Berlin, 2002), pp. 333–348 CrossRefGoogle Scholar - [22]E. Konstantinou, Y.C. Stamatiou, C. Zaroliagis, On the construction of prime order elliptic curves, in
*Progress in Cryptology—INDOCRYPT 2003*. Lecture Notes in Computer Science, vol. 2904 (Springer, Berlin, 2003), pp. 309–322 Google Scholar - [23]E. Konstantinou, A. Kontogeorgis, Y. Stamatiou, C. Zaroliagis, Generating prime order elliptic curves: difficulties and efficiency considerations, in
*International Conference on Information Security and Cryptology—ICISC 2004*. Lecture Notes in Computer Science, vol. 3506 (Springer, Berlin, 2005), pp. 261–278 Google Scholar - [24]G.J. Lay, H. Zimmer, Constructing elliptic curves with given group order over large finite fields, in
*Algorithmic Number Theory—ANTS-I*. Lecture Notes in Computer Science, vol. 877 (Springer, Berlin, 1994), pp. 250–263 Google Scholar - [25]LiDIA. A library for computational number theory. Technical University of Darmstadt. Available from http://www.informatik.tu-darmstadt.de/TI/LiDIA/Welcome.html
- [26]A.J. Menezes, T. Okamoto, S.A. Vanstone, Reducing elliptic curve logarithms to a finite field.
*IEEE Trans. Inf. Theory***39**, 1639–1646 (1993) zbMATHCrossRefMathSciNetGoogle Scholar - [27]A. Miyaji, M. Nakabayashi, S. Takano, Characterization of elliptic curve traces under FR-reduction, in
*International Conference on Information Security and Cryptology—ICISC 2000*. Lecture Notes in Computer Science, vol. 2015 (Springer, Berlin, 2001), pp. 90–108 Google Scholar - [28]A. Miyaji, M. Nakabayashi, S. Takano, New explicit conditions of elliptic curve traces for FR-reduction.
*IEICE Trans. Fundam.***E84-A**(5), 1234–1243 (2001) Google Scholar - [29]F. Morain, Modular curves and class invariants. Preprint, June 2000 Google Scholar
- [30]F. Morain, Computing the cardinality of CM elliptic curves using torsion points. Preprint, October 2002 Google Scholar
- [31]Y. Nogami, Y. Morikawa, Fast generation of elliptic curves with prime order over \(F_{p^{2^{c}}}\!\) , in
*Proc. of the International workshop on Coding and Cryptography*, March 2003 Google Scholar - [32]G.C. Pohlig, M.E. Hellman, An improved algorithm for computing logarithms over
*GF*(*p*) and its cryptographic significance.*IEEE Trans. Inf. Theory***24**, 106–110 (1978) zbMATHCrossRefMathSciNetGoogle Scholar - [33]T. Satoh, K. Araki, Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves.
*Comment. Math. Univ. St. Pauli***47**, 81–91 (1998) zbMATHMathSciNetGoogle Scholar - [34]E. Savaş, T.A. Schmidt, Ç.K. Koç, Generating elliptic curves of prime order, in
*Cryptographic Hardware and Embedded Systems—CHES 2001*. Lecture Notes in Computer Science, vol. 2162 (Springer, Berlin, 2001), pp. 145–161 Google Scholar - [35]R. Schertz, Weber’s class invariants revisited.
*J. Théor. Nr. Bordx.***4**, 325–343 (2002) MathSciNetGoogle Scholar - [36]R. Schoof, Counting points on elliptic curves over finite fields.
*J. Théor. Nr. Bordx.***7**, 219–254 (1995) zbMATHMathSciNetGoogle Scholar - [37]M. Scott, P.S.L.M. Barreto, Generating more MNT elliptic curves, Cryptology ePrint Archive, Report 2004/058 (2004) Google Scholar
- [38]J.H. Silverman,
*The Arithmetic of Elliptic Curves*(Springer, Berlin, 1986). GTM 106 zbMATHGoogle Scholar - [39]I. Stewart,
*Galois Theory*, 3rd edn. (Chapman & Hall/CRC, Boca Raton, 2004) zbMATHGoogle Scholar - [40]I. Stewart, D. Tall,
*Algebraic Number Theory*, 2nd edn. (Chapman & Hall, London, 1987) zbMATHGoogle Scholar - [41]T. Valente, A distributed approach to proving large numbers prime. Rensselaer Polytechnic Institute Troy, New York, PhD Thesis, August 1992 Google Scholar