Designs, Codes and Cryptography

, Volume 37, Issue 1, pp 133–141 | Cite as

Elliptic Curves Suitable for Pairing Based Cryptography

  • Friederike BrezingEmail author
  • Annegret Weng


For pairing based cryptography we need elliptic curves defined over finite fields \(\mathbb{F}_{q}\) whose group order is divisible by some prime \(\ell\) with \(\ell | q^{k-1}\) where k is relatively small. In Barreto et al. and Dupont et al. [Proceedings of the Third Workshop on Security in Communication Networks (SCN 2002), LNCS, 2576, 2003; Building curves with arbitrary small Mov degree over finite fields, Preprint, 2002], algorithms for the construction of ordinary elliptic curves over prime fields \(\mathbb{F}_{p}\) with arbitrary embedding degree k are given. Unfortunately, p is of size \(O(\ell^{2})\).

We give a method to generate ordinary elliptic curves over prime fields with p significantly less than \(\ell^{2}\) which also works for arbitrary k. For a fixed embedding degree k, the new algorithm yields curves with \(p \approx \ell^{s}\) where \(s = 2 - 2/\varphi(k)\) or \(s = 2 - 1/\varphi(k)\) depending on k. For special values of k even better results are obtained.

We present several examples. In particular, we found some curves where \(\ell\) is a prime of small Hamming weight resp. with a small addition chain.


elliptic curves pairing based cryptagraphy 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Atkin, A.O.L., Morain, F. 1993Elliptic curves and primality provingMathematics of Computation612968Google Scholar
  2. 2.
    Balasubramanian, R., Koblitz, N. 1998The improbability that an elliptic curve has subexponential discrete log problem under the Menezes-Okamoto-Vanstone algorithmJournal of Cryptology11141145CrossRefGoogle Scholar
  3. 3.
    Barreto P., Lynn B., Scott M., (2003) Constructing elliptic curves with prescribed embedding degrees. Proceedings of the Third Workshop on Security in Communication Networks (SCN’2002), LNCS 2576.Google Scholar
  4. 4.
    Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, P. 2002Efficient algorithms for pairing based cryptosystemsCrypto 2002, LNCS2442354368Google Scholar
  5. 5.
    Boneh, D., Lynn, B., Shacham, H. 2001Short signatures from the Weil pairingAsiacrypt ’01, LNCS2248514532Google Scholar
  6. 6.
    Dupont R., Enge A., and Morain F., Building curves with arbitrary small MOV degree over finite fields. to appear in Journal of Cryptography 2002.Google Scholar
  7. 7.
    Franklin, M., Boneh, D. 2001Identity-based encryption from the Weil pairingProceedings Crypto ’01, LNCS2139213229Google Scholar
  8. 8.
    Frey, G., Müller, M., Rück, H.-G. 1999The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystemsIEEE Transactions on Information Theory4517171718CrossRefGoogle Scholar
  9. 9.
    Galbraith, S., Harrison, K., Soldera, D. 2002Implementing the Tate pairingANTS IV, LNCS2369324337Google Scholar
  10. 10.
    Joux, A. 2000A one round protocol for tripartite Diffie-HellmanProceedings of ANTS, LNCS1838385393Google Scholar
  11. 11.
    Menezes, A.J., Okamoto, T., Vanstone, S.A. 1993Reducing elliptic curve logarithms to logarithms in a finite fieldIEEE Transactions on Information Theory3916391646CrossRefGoogle Scholar
  12. 12.
    Verheul, E. 2002Self-blindable credential certificates from the Weil pairingAdvances in Cryptology – Asiacrypt 2001, LNCS2248533551Google Scholar

Copyright information

© Springer Science+Business Media, Inc. 2005

Authors and Affiliations

  1. 1.Fachbereich MathematikJohann Wolfgang Goethe-UniversitätFrankfurtGermany
  2. 2.Fachbereich MathematikJohannes Gutenberg UniversitätMainzGermany

Personalised recommendations