Journal of Cryptology

, Volume 23, Issue 2, pp 224–280 | Cite as

A Taxonomy of Pairing-Friendly Elliptic Curves

Open Access
Article

Abstract

Elliptic curves with small embedding degree and large prime-order subgroup are key ingredients for implementing pairing-based cryptographic systems. Such “pairing-friendly” curves are rare and thus require specific constructions. In this paper we give a single coherent framework that encompasses all of the constructions of pairing-friendly elliptic curves currently existing in the literature. We also include new constructions of pairing-friendly curves that improve on the previously known constructions for certain embedding degrees. Finally, for all embedding degrees up to 50, we provide recommendations as to which pairing-friendly curves to choose to best satisfy a variety of performance and security requirements.

Keywords

Elliptic curves Pairing-based cryptosystems Embedding degree Efficient implementation 

References

  1. [1]
    A.O.L. Atkin, F. Morain, Elliptic curves and primality proving. Math. Comput. 61, 29–68 (1993) MATHCrossRefMathSciNetGoogle Scholar
  2. [2]
    D. Bailey, C. Paar, Efficient arithmetic in finite field extensions with application in elliptic curve cryptography. J. Cryptol. 14, 153–176 (2001) MATHMathSciNetGoogle Scholar
  3. [3]
    R. Balasubramanian, N. Koblitz, The improbability that an elliptic curve has subexponential discrete log problem under the Menezes–Okamoto–Vanstone algorithm. J. Cryptol. 11, 141–145 (1998) MATHCrossRefMathSciNetGoogle Scholar
  4. [4]
    P.S.L.M. Barreto, M. Naehrig, Pairing-friendly elliptic curves of prime order, in Selected Areas in Cryptography—SAC 2005. Lecture Notes in Computer Science, vol. 3897 (Springer, Berlin, 2006), pp. 319–331 CrossRefGoogle Scholar
  5. [5]
    P.S.L.M. Barreto, B. Lynn, M. Scott, Constructing elliptic curves with prescribed embedding degrees, in Security in Communication Networks—SCN 2002. Lecture Notes in Computer Science, vol. 2576 (Springer, Berlin, 2002), pp. 263–273 Google Scholar
  6. [6]
    P.S.L.M. Barreto, H.Y. Kim, B. Lynn, M. Scott, Efficient algorithms for pairing-based cryptosystems, in Advances in Cryptology—Crypto 2002. Lecture Notes in Computer Science, vol. 2442 (Springer, Berlin, 2002), pp. 354–368 CrossRefGoogle Scholar
  7. [7]
    P.S.L.M. Barreto, B. Lynn, M. Scott, On the selection of pairing-friendly groups, in Selected Areas in Cryptography—SAC 2003. Lecture Notes in Computer Science, vol. 3006 (Springer, Berlin, 2003), pp. 17–25 Google Scholar
  8. [8]
    P.S.L.M. Barreto, S. Galbraith, C. O’hEigeartaigh, M. Scott, Efficient pairing computation on supersingular abelian varieties. Des. Codes Cryptogr. 42, 239–271 (2007) MATHCrossRefMathSciNetGoogle Scholar
  9. [9]
    P. Bateman, R. Horn, A heuristic asymptotic formula concerning the distribution of prime numbers. Math. Comput. 16, 363–367 (1962) MATHCrossRefMathSciNetGoogle Scholar
  10. [10]
    N. Benger, M. Charlemagne, D. Freeman, On the security of pairing-friendly abelian varieties over non-prime fields, in Pairing-Based Cryptography—Pairing 2009, to appear. Preprint available at: http://eprint.iacr.org/2008/417/
  11. [11]
    I.F. Blake, G. Seroussi, N.P. Smart (eds.), Advances in Elliptic Curve Cryptography (Cambridge University Press, Cambridge, 2005) MATHGoogle Scholar
  12. [12]
    D. Boneh, M. Franklin, Identity-based encryption from the Weil pairing, in Advances in Cryptology—Crypto 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 213–229. Full version: SIAM J. Comput. 32(3), 586–615 (2003) CrossRefGoogle Scholar
  13. [13]
    D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing, in Advances in Cryptology—Asiacrypt 2001. Lecture Notes in Computer Science, vol. 2248 (Springer, Berlin, 2002), pp. 514–532. Full version: J. Cryptol. 17, 297–319 (2004) CrossRefGoogle Scholar
  14. [14]
    D. Boneh, E.-J. Goh, K. Nissim, Evaluating 2-DNF formulas on ciphertexts, in Theory of Cryptography Conference—TCC 2005. Lecture Notes in Computer Science, vol. 3378 (Springer, Berlin, 2005), pp. 325–341 Google Scholar
  15. [15]
    W. Bosma, J. Cannon, C. Playoust, The Magma algebra system. I. The user language. J. Symb. Comput. 24(3–4), 235–265 (1997) MATHCrossRefMathSciNetGoogle Scholar
  16. [16]
    A. Bostan, F. Morain, B. Salvy, É. Schost, Fast algorithms for computing isogenies between elliptic curves. Math. Comput. 77, 1755–1778 (2008) CrossRefMathSciNetGoogle Scholar
  17. [17]
    F. Brezing, A. Weng, Elliptic curves suitable for pairing based cryptography. Des. Codes Cryptogr. 37, 133–141 (2005) MATHCrossRefMathSciNetGoogle Scholar
  18. [18]
    R. Bröker, Constructing elliptic curves of prescribed order. Ph.D. thesis, Dept. of Mathematics, Leiden University, 2006. Available at: http://www.math.leidenuniv.nl/~reinier/thesis.pdf
  19. [19]
    J.C. Cha, J.H. Cheon, An identity-based signature from gap Diffie–Hellman groups, in Public-Key Cryptography—PKC 2003. Lecture Notes in Computer Science, vol. 2567 (Springer, Berlin, 2003), pp. 18–30 Google Scholar
  20. [20]
    D. Charles, On the existence of distortion maps on ordinary elliptic curves, Cryptology ePrint Archive Report 2006/128. Available at: http://eprint.iacr.org/2006/128/
  21. [21]
    L. Chen, Z. Cheng, N. Smart, Identity-based key agreement protocols from pairings. Int. J. Inf. Secur. 6, 213–241 (2007) CrossRefGoogle Scholar
  22. [22]
    C. Cocks, R.G.E. Pinch, Identity-based cryptosystems based on the Weil pairing. Unpublished manuscript, 2001 Google Scholar
  23. [23]
    A. Comuta, M. Kawazoe, T. Takahashi, Pairing-friendly elliptic curves with small security loss by Cheon’s algorithm, in Information Security and Cryptography—ICISC 2007. Lecture Notes in Computer Science, vol. 4817 (Springer, Berlin, 2007), pp. 297–308 CrossRefGoogle Scholar
  24. [24]
    D. Coppersmith, Fast evaluation of logarithms in fields of characteristic two. IEEE Trans. Inf. Theory 30, 587–594 (1984) MATHCrossRefMathSciNetGoogle Scholar
  25. [25]
    G. Cornell, J. Silverman (eds.), Arithmetic Geometry (Springer, New York, 1986) MATHGoogle Scholar
  26. [26]
    P. Duan, S. Cui, C.W. Chan, Effective polynomial families for generating more pairing-friendly elliptic curves, Cryptology ePrint Archive Report 2005/236. Available at: http://eprint.iacr.org/2005/236/
  27. [27]
    R. Dupont, A. Enge, F. Morain, Building curves with arbitrary small MOV degree over finite prime fields. J. Cryptol. 18, 79–89 (2005) MATHCrossRefMathSciNetGoogle Scholar
  28. [28]
    I. Duursma, P. Gaudry, F. Morain, Speeding up the discrete log computation on curves with automorphisms, in Advances in Cryptology—Asiacrypt 1999. Lecture Notes in Computer Science, vol. 1716 (Springer, Berlin, 1999), pp. 103–121 Google Scholar
  29. [29]
    A. Enge, The complexity of class polynomial computation via floating point approximations. Math. Comput. 78, 1089–1107 (2009) MathSciNetGoogle Scholar
  30. [30]
    D. Freeman, Constructing pairing-friendly elliptic curves with embedding degree 10, in Algorithmic Number Theory Symposium—ANTS-VII. Lecture Notes in Computer Science, vol. 4076 (Springer, Berlin, 2006), pp. 452–465 CrossRefGoogle Scholar
  31. [31]
    D. Freeman, Constructing pairing-friendly genus 2 curves with ordinary Jacobians, in Pairing-Based Cryptography—Pairing 2007. Lecture Notes in Computer Science, vol. 4575 (Springer, Berlin, 2007), pp. 152–176 CrossRefGoogle Scholar
  32. [32]
    D. Freeman, A generalized Brezing–Weng method for constructing pairing-friendly ordinary abelian varieties, in Pairing-Based Cryptography—Pairing 2008. Lecture Notes in Computer Science, vol. 5209 (Springer, Berlin, 2008), pp. 146–163 CrossRefGoogle Scholar
  33. [33]
    D. Freeman, P. Stevenhagen, M. Streng, Abelian varieties with prescribed embedding degree, in Algorithmic Number Theory Symposium—ANTS-VIII. Lecture Notes in Computer Science, vol. 5011 (Springer, Berlin, 2008), pp. 60–73 CrossRefGoogle Scholar
  34. [34]
    G. Frey, H. Rück, A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Math. Comput. 62, 865–874 (1994) MATHCrossRefGoogle Scholar
  35. [35]
    S. Galbraith, V. Rotger, Easy decision Diffie–Hellman groups. LMS J. Comput. Math. 7, 201–218 (2004) MATHMathSciNetGoogle Scholar
  36. [36]
    S. Galbraith, J. McKee, P. Valença, Ordinary abelian varieties having small embedding degree. Finite Fields Appl. 13, 800–814 (2007) MATHCrossRefMathSciNetGoogle Scholar
  37. [37]
    S. Galbraith, K. Paterson, N. Smart, Pairings for cryptographers. Discrete Appl. Math. 15, 3113–3121 (2008) CrossRefMathSciNetGoogle Scholar
  38. [38]
    R. Gallant, R.J. Lambert, S.A. Vanstone, Faster point multiplication on elliptic curves with efficient endomorphisms, in Advances in Cryptology—Crypto 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 190–200 CrossRefGoogle Scholar
  39. [39]
    R. Granger, D. Page, N. Smart, High security pairing-based cryptography revisited, in Algorithmic Number Theory Symposium ANTS-VII. Lecture Notes in Computer Science, vol. 4076 (Springer, Berlin, 2006), pp. 480–494 CrossRefGoogle Scholar
  40. [40]
    K. Harrison, D. Page, N.P. Smart, Software implementation of finite fields of characteristic three, for use in pairing-based cryptosystems. LMS J. Comput. Math. 5, 181–193 (2002) MATHMathSciNetGoogle Scholar
  41. [41]
    F. Hess, Pairing lattices, in Pairing-Based Cryptography—Pairing 2008. Lecture Notes in Computer Science, vol. 5209 (Springer, Berlin, 2008), pp. 18–38 CrossRefGoogle Scholar
  42. [42]
    F. Hess, N. Smart, F. Vercauteren, The Eta pairing revisited. IEEE Trans. Inf. Theory 52, 4595–4602 (2006) CrossRefMathSciNetGoogle Scholar
  43. [43]
    L. Hitt, On the minimal embedding field, in Pairing-Based Cryptography—Pairing 2007. Lecture Notes in Computer Science, vol. 4575 (Springer, Berlin, 2007), pp. 294–301 CrossRefGoogle Scholar
  44. [44]
    A. Joux, A one round protocol for tripartite Diffie–Hellman, in Algorithmic Number Theory Symposium—ANTS-IV. Lecture Notes in Computer Science, vol. 1838 (Springer, Berlin, 2000), pp. 385–393. Full version: J. Cryptol. 17, 263–276 (2004) CrossRefGoogle Scholar
  45. [45]
    A. Joux, K. Nguyen, Separating decision Diffie–Hellman from computational Diffie–Hellman in cryptographic groups. J. Cryptol. 16, 239–247 (2003) MATHCrossRefMathSciNetGoogle Scholar
  46. [46]
    E. Kachisa, Constructing Brezing–Weng pairing friendly elliptic curves using elements in the cyclotomic field. M.Sc. dissertation, Mzuzu University, 2007 Google Scholar
  47. [47]
    E. Kachisa, E. Schaefer, M. Scott, Constructing Brezing–Weng pairing friendly elliptic curves using elements in the cyclotomic field, in Pairing-Based Cryptography—Pairing 2008. Lecture Notes in Computer Science, vol. 5209 (Springer, Berlin, 2008), pp. 126–135 CrossRefGoogle Scholar
  48. [48]
    K. Karabina, On prime-order elliptic curves with embedding degrees 3, 4 and 6. M.Math. thesis, Univ. of Waterloo, Dept. of Combinatorics and Optimization, 2006 Google Scholar
  49. [49]
    K. Karabina, E. Teske, On prime-order elliptic curves with embedding degrees 3, 4 and 6, in Algorithmic Number Theory Symposium—ANTS-VIII. Lecture Notes in Computer Science, vol. 5011 (Springer, Berlin, 2008), pp. 102–117 CrossRefGoogle Scholar
  50. [50]
    N. Koblitz, Good and bad uses of elliptic curves in cryptography. Mosc. Math. J. 2, 693–715 (2002) 805–806 MATHMathSciNetGoogle Scholar
  51. [51]
    N. Koblitz, A. Menezes, Pairing-based cryptography at high security levels, in Proceedings of Cryptography and Coding: 10th IMA International Conference. Lecture Notes in Computer Science, vol. 3796 (Springer, Berlin, 2005), pp. 13–36 Google Scholar
  52. [52]
    S. Lang, Elliptic Functions (Springer, Berlin, 1987) MATHGoogle Scholar
  53. [53]
    S. Lang, Algebra, revised 3rd edn. (Springer, Berlin, 2002) MATHGoogle Scholar
  54. [54]
    A.K. Lenstra, Unbelievable security: Matching AES security using public key systems, in Advances in Cryptology—Asiacrypt 2001. Lecture Notes in Computer Science, vol. 2248 (Springer, Berlin, 2001), pp. 67–86 CrossRefGoogle Scholar
  55. [55]
    R. Lidl, H. Niederreiter, Finite Fields (Cambridge University Press, Cambridge, 1997) Google Scholar
  56. [56]
    F. Luca, I. Shparlinski, Elliptic curves with low embedding degree. J. Cryptol. 19, 553–562 (2006) MATHCrossRefMathSciNetGoogle Scholar
  57. [57]
    F. Luca, D. Mireles, I. Shparlinski, MOV attack in various subgroups on elliptic curves. Ill. J. Math. 48, 1041–1052 (2004) MATHMathSciNetGoogle Scholar
  58. [58]
    K. Matthews, The Diophantine equation x 2Dy 2=N, D>0. Expo. Math. 18, 323–331 (2000) MATHMathSciNetGoogle Scholar
  59. [59]
    A. Menezes, Elliptic Curve Public Key Cryptosystems (Kluwer Academic, Dordrecht, 1993) MATHGoogle Scholar
  60. [60]
    A. Menezes, An introduction to pairing-based cryptography. Notes from lectures given in Santander, Spain, 2005. Available at: http://www.cacr.math.uwaterloo.ca/~ajmeneze/publications/pairings.pdf
  61. [61]
    A. Menezes, S. Vanstone, Isomorphism classes of elliptic curves over finite fields of characteristic 2. Util. Math. 38, 135–153 (1990) MATHMathSciNetGoogle Scholar
  62. [62]
    A. Menezes, T. Okamoto, S. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory 39, 1639–1646 (1993) MATHCrossRefMathSciNetGoogle Scholar
  63. [63]
    V. Miller, The Weil pairing, and its efficient calculation. J. Cryptol. 17, 235–261 (2004) MATHCrossRefGoogle Scholar
  64. [64]
    A. Miyaji, M. Nakabayashi, S. Takano, New explicit conditions of elliptic curve traces for FR-reduction. IEICE Trans. Fundam. E84-A(5), 1234–1243 (2001) Google Scholar
  65. [65]
    F. Morain, Classes d’isomorphismes des courbes elliptiques supersingulières en caracteristique ≥3. Util. Math. 52, 241–253 (1997) MATHMathSciNetGoogle Scholar
  66. [66]
    A. Murphy, N. Fitzpatrick, Elliptic curves for pairing applications, Cryptology ePrint Archive Report 2005/302. Available at: http://eprint.iacr.org/2005/302
  67. [67]
    M. Naehrig, P.S.L.M. Barreto, P. Schwabe, On compressible pairings and their computation, in Progress in Cryptology—Africacrypt 2008. Lecture Notes in Computer Science, vol. 5023 (Springer, Berlin, 2008), pp. 371–388 CrossRefGoogle Scholar
  68. [68]
    A. Odlyzko, Discrete logarithms in finite fields and their cryptographic significance, in Advances in Cryptology—Eurocrypt 1984. Lecture Notes in Computer Science, vol. 209 (Springer, Berlin, 1985), pp. 224–314 Google Scholar
  69. [69]
    D. Page, N. Smart, F. Vercauteren, A comparison of MNT curves and supersingular curves. Appl. Algebra Eng., Commun. Comput. 17, 379–392 (2006) MATHCrossRefMathSciNetGoogle Scholar
  70. [70]
    K. Paterson, ID-based signatures from pairings on elliptic curves. Electron. Lett. 38, 1025–1026 (2002) CrossRefGoogle Scholar
  71. [71]
    S. Pohlig, M. Hellman, An improved algorithm for computing discrete logarithms over GF(p) and its cryptographic significance. IEEE Trans. Inf. Theory 24, 106–110 (1978) MATHCrossRefMathSciNetGoogle Scholar
  72. [72]
    J. Pollard, Monte Carlo methods for index computation (mod p). Math. Comput. 32, 918–924 (1978) MATHCrossRefMathSciNetGoogle Scholar
  73. [73]
    J. Robertson, Solving the generalized Pell equation x 2Dy 2=N. Unpublished manuscript, 2004. Available at: http://hometown.aol.com/jpr2718/pell.pdf
  74. [74]
    K. Rubin, A. Silverberg, Finding composite order ordinary elliptic curves using the Cocks–Pinch method, in preparation Google Scholar
  75. [75]
    R. Sakai, K. Ohgishi, M. Kasahara, Cryptosystems based on pairings, in 2000 Symposium on Cryptography and Information Security—SCIS 2000, Okinawa, Japan, 2000 Google Scholar
  76. [76]
    E. Schaefer, A new proof for the non-degeneracy of the Frey–Rück pairing and a connection to isogenies over the base field, in Computational Aspects of Algebraic Curves. Lecture Notes Ser. Comput., vol. 13 (World Scientific, Singapore, 2005), pp. 1–12 CrossRefGoogle Scholar
  77. [77]
    O. Schirokauer, The number field sieve for integers of low weight. Math. Comput. to appear. Preprint available at: http://eprint.iacr.org/2006/107/
  78. [78]
    M. Scott, Computing the Tate pairing, in Topics in Cryptology—CT-RSA 2005. Lecture Notes in Computer Science, vol. 3376 (Springer, Berlin, 2005), pp. 293–304 Google Scholar
  79. [79]
    M. Scott, Implementing cryptographic pairings, in Pairing-Based Cryptography—Pairing 2007. Lecture Notes in Computer Science, vol. 4575 (Springer, Berlin, 2007), pp. 177–196 Google Scholar
  80. [80]
    M. Scott, P.S.L.M. Barreto, Compressed pairings, in Advances in Cryptology—Crypto 2004. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 140–156 Google Scholar
  81. [81]
    M. Scott, P.S.L.M. Barreto, Generating more MNT elliptic curves. Des. Codes Cryptogr. 38, 209–217 (2006) MATHCrossRefMathSciNetGoogle Scholar
  82. [82]
    J. Silverman, The Arithmetic of Elliptic Curves (Springer, Berlin, 1986) MATHGoogle Scholar
  83. [83]
    A. Sutherland, Computing Hilbert class polynomials with the Chinese remainder theorem. Preprint, 2009. Available at http://arxiv.org/abs/0903.2785
  84. [84]
    S. Tanaka, K. Nakamula, Constructing pairing-friendly elliptic curves using factorization of cyclotomic polynomials, in Pairing-Based Cryptography—Pairing 2008. Lecture Notes in Computer Science, vol. 5209 (Springer, Berlin, 2008), pp. 136–145 CrossRefGoogle Scholar
  85. [85]
    J. Tate, Endomorphisms of abelian varieties over finite fields. Invent. Math. 2, 134–144 (1966) MATHCrossRefMathSciNetGoogle Scholar
  86. [86]
    P.C. van Oorschot, M.J. Wiener, Parallel collision search with cryptanalytic applications. J. Cryptol. 12, 1–18 (1999) MATHCrossRefGoogle Scholar
  87. [87]
    E. Verheul, Evidence that XTR is more secure than supersingular elliptic curve cryptosystems. J. Cryptol. 17, 277–296 (2004) MATHCrossRefMathSciNetGoogle Scholar
  88. [88]
    W. Waterhouse, Abelian varieties over finite fields. Ann. Sci. École Norm. Sup. (IV) 2, 521–560 (1969) MATHMathSciNetGoogle Scholar

Copyright information

© The Author(s) 2009

Authors and Affiliations

  1. 1.CWI and Universiteit LeidenAmsterdamThe Netherlands
  2. 2.School of Computer ApplicationsDublin City UniversityDublin 9Ireland
  3. 3.Dept. of Combinatorics and OptimizationUniversity of WaterlooWaterlooCanada

Personalised recommendations