Skip to main content

A Taxonomy of Pairing-Friendly Elliptic Curves

Abstract

Elliptic curves with small embedding degree and large prime-order subgroup are key ingredients for implementing pairing-based cryptographic systems. Such “pairing-friendly” curves are rare and thus require specific constructions. In this paper we give a single coherent framework that encompasses all of the constructions of pairing-friendly elliptic curves currently existing in the literature. We also include new constructions of pairing-friendly curves that improve on the previously known constructions for certain embedding degrees. Finally, for all embedding degrees up to 50, we provide recommendations as to which pairing-friendly curves to choose to best satisfy a variety of performance and security requirements.

References

  1. A.O.L. Atkin, F. Morain, Elliptic curves and primality proving. Math. Comput. 61, 29–68 (1993)

    MATH  Article  MathSciNet  Google Scholar 

  2. D. Bailey, C. Paar, Efficient arithmetic in finite field extensions with application in elliptic curve cryptography. J. Cryptol. 14, 153–176 (2001)

    MATH  MathSciNet  Google Scholar 

  3. R. Balasubramanian, N. Koblitz, The improbability that an elliptic curve has subexponential discrete log problem under the Menezes–Okamoto–Vanstone algorithm. J. Cryptol. 11, 141–145 (1998)

    MATH  Article  MathSciNet  Google Scholar 

  4. P.S.L.M. Barreto, M. Naehrig, Pairing-friendly elliptic curves of prime order, in Selected Areas in Cryptography—SAC 2005. Lecture Notes in Computer Science, vol. 3897 (Springer, Berlin, 2006), pp. 319–331

    Chapter  Google Scholar 

  5. P.S.L.M. Barreto, B. Lynn, M. Scott, Constructing elliptic curves with prescribed embedding degrees, in Security in Communication Networks—SCN 2002. Lecture Notes in Computer Science, vol. 2576 (Springer, Berlin, 2002), pp. 263–273

    Google Scholar 

  6. P.S.L.M. Barreto, H.Y. Kim, B. Lynn, M. Scott, Efficient algorithms for pairing-based cryptosystems, in Advances in Cryptology—Crypto 2002. Lecture Notes in Computer Science, vol. 2442 (Springer, Berlin, 2002), pp. 354–368

    Chapter  Google Scholar 

  7. P.S.L.M. Barreto, B. Lynn, M. Scott, On the selection of pairing-friendly groups, in Selected Areas in Cryptography—SAC 2003. Lecture Notes in Computer Science, vol. 3006 (Springer, Berlin, 2003), pp. 17–25

    Google Scholar 

  8. P.S.L.M. Barreto, S. Galbraith, C. O’hEigeartaigh, M. Scott, Efficient pairing computation on supersingular abelian varieties. Des. Codes Cryptogr. 42, 239–271 (2007)

    MATH  Article  MathSciNet  Google Scholar 

  9. P. Bateman, R. Horn, A heuristic asymptotic formula concerning the distribution of prime numbers. Math. Comput. 16, 363–367 (1962)

    MATH  Article  MathSciNet  Google Scholar 

  10. N. Benger, M. Charlemagne, D. Freeman, On the security of pairing-friendly abelian varieties over non-prime fields, in Pairing-Based Cryptography—Pairing 2009, to appear. Preprint available at: http://eprint.iacr.org/2008/417/

  11. I.F. Blake, G. Seroussi, N.P. Smart (eds.), Advances in Elliptic Curve Cryptography (Cambridge University Press, Cambridge, 2005)

    MATH  Google Scholar 

  12. D. Boneh, M. Franklin, Identity-based encryption from the Weil pairing, in Advances in Cryptology—Crypto 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 213–229. Full version: SIAM J. Comput. 32(3), 586–615 (2003)

    Chapter  Google Scholar 

  13. D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing, in Advances in Cryptology—Asiacrypt 2001. Lecture Notes in Computer Science, vol. 2248 (Springer, Berlin, 2002), pp. 514–532. Full version: J. Cryptol. 17, 297–319 (2004)

    Chapter  Google Scholar 

  14. D. Boneh, E.-J. Goh, K. Nissim, Evaluating 2-DNF formulas on ciphertexts, in Theory of Cryptography Conference—TCC 2005. Lecture Notes in Computer Science, vol. 3378 (Springer, Berlin, 2005), pp. 325–341

    Google Scholar 

  15. W. Bosma, J. Cannon, C. Playoust, The Magma algebra system. I. The user language. J. Symb. Comput. 24(3–4), 235–265 (1997)

    MATH  Article  MathSciNet  Google Scholar 

  16. A. Bostan, F. Morain, B. Salvy, É. Schost, Fast algorithms for computing isogenies between elliptic curves. Math. Comput. 77, 1755–1778 (2008)

    Article  MathSciNet  Google Scholar 

  17. F. Brezing, A. Weng, Elliptic curves suitable for pairing based cryptography. Des. Codes Cryptogr. 37, 133–141 (2005)

    MATH  Article  MathSciNet  Google Scholar 

  18. R. Bröker, Constructing elliptic curves of prescribed order. Ph.D. thesis, Dept. of Mathematics, Leiden University, 2006. Available at: http://www.math.leidenuniv.nl/~reinier/thesis.pdf

  19. J.C. Cha, J.H. Cheon, An identity-based signature from gap Diffie–Hellman groups, in Public-Key Cryptography—PKC 2003. Lecture Notes in Computer Science, vol. 2567 (Springer, Berlin, 2003), pp. 18–30

    Google Scholar 

  20. D. Charles, On the existence of distortion maps on ordinary elliptic curves, Cryptology ePrint Archive Report 2006/128. Available at: http://eprint.iacr.org/2006/128/

  21. L. Chen, Z. Cheng, N. Smart, Identity-based key agreement protocols from pairings. Int. J. Inf. Secur. 6, 213–241 (2007)

    Article  Google Scholar 

  22. C. Cocks, R.G.E. Pinch, Identity-based cryptosystems based on the Weil pairing. Unpublished manuscript, 2001

  23. A. Comuta, M. Kawazoe, T. Takahashi, Pairing-friendly elliptic curves with small security loss by Cheon’s algorithm, in Information Security and Cryptography—ICISC 2007. Lecture Notes in Computer Science, vol. 4817 (Springer, Berlin, 2007), pp. 297–308

    Chapter  Google Scholar 

  24. D. Coppersmith, Fast evaluation of logarithms in fields of characteristic two. IEEE Trans. Inf. Theory 30, 587–594 (1984)

    MATH  Article  MathSciNet  Google Scholar 

  25. G. Cornell, J. Silverman (eds.), Arithmetic Geometry (Springer, New York, 1986)

    MATH  Google Scholar 

  26. P. Duan, S. Cui, C.W. Chan, Effective polynomial families for generating more pairing-friendly elliptic curves, Cryptology ePrint Archive Report 2005/236. Available at: http://eprint.iacr.org/2005/236/

  27. R. Dupont, A. Enge, F. Morain, Building curves with arbitrary small MOV degree over finite prime fields. J. Cryptol. 18, 79–89 (2005)

    MATH  Article  MathSciNet  Google Scholar 

  28. I. Duursma, P. Gaudry, F. Morain, Speeding up the discrete log computation on curves with automorphisms, in Advances in Cryptology—Asiacrypt 1999. Lecture Notes in Computer Science, vol. 1716 (Springer, Berlin, 1999), pp. 103–121

    Google Scholar 

  29. A. Enge, The complexity of class polynomial computation via floating point approximations. Math. Comput. 78, 1089–1107 (2009)

    MathSciNet  Google Scholar 

  30. D. Freeman, Constructing pairing-friendly elliptic curves with embedding degree 10, in Algorithmic Number Theory Symposium—ANTS-VII. Lecture Notes in Computer Science, vol. 4076 (Springer, Berlin, 2006), pp. 452–465

    Chapter  Google Scholar 

  31. D. Freeman, Constructing pairing-friendly genus 2 curves with ordinary Jacobians, in Pairing-Based Cryptography—Pairing 2007. Lecture Notes in Computer Science, vol. 4575 (Springer, Berlin, 2007), pp. 152–176

    Chapter  Google Scholar 

  32. D. Freeman, A generalized Brezing–Weng method for constructing pairing-friendly ordinary abelian varieties, in Pairing-Based Cryptography—Pairing 2008. Lecture Notes in Computer Science, vol. 5209 (Springer, Berlin, 2008), pp. 146–163

    Chapter  Google Scholar 

  33. D. Freeman, P. Stevenhagen, M. Streng, Abelian varieties with prescribed embedding degree, in Algorithmic Number Theory Symposium—ANTS-VIII. Lecture Notes in Computer Science, vol. 5011 (Springer, Berlin, 2008), pp. 60–73

    Chapter  Google Scholar 

  34. G. Frey, H. Rück, A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Math. Comput. 62, 865–874 (1994)

    MATH  Article  Google Scholar 

  35. S. Galbraith, V. Rotger, Easy decision Diffie–Hellman groups. LMS J. Comput. Math. 7, 201–218 (2004)

    MATH  MathSciNet  Google Scholar 

  36. S. Galbraith, J. McKee, P. Valença, Ordinary abelian varieties having small embedding degree. Finite Fields Appl. 13, 800–814 (2007)

    MATH  Article  MathSciNet  Google Scholar 

  37. S. Galbraith, K. Paterson, N. Smart, Pairings for cryptographers. Discrete Appl. Math. 15, 3113–3121 (2008)

    Article  MathSciNet  Google Scholar 

  38. R. Gallant, R.J. Lambert, S.A. Vanstone, Faster point multiplication on elliptic curves with efficient endomorphisms, in Advances in Cryptology—Crypto 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 190–200

    Chapter  Google Scholar 

  39. R. Granger, D. Page, N. Smart, High security pairing-based cryptography revisited, in Algorithmic Number Theory Symposium ANTS-VII. Lecture Notes in Computer Science, vol. 4076 (Springer, Berlin, 2006), pp. 480–494

    Chapter  Google Scholar 

  40. K. Harrison, D. Page, N.P. Smart, Software implementation of finite fields of characteristic three, for use in pairing-based cryptosystems. LMS J. Comput. Math. 5, 181–193 (2002)

    MATH  MathSciNet  Google Scholar 

  41. F. Hess, Pairing lattices, in Pairing-Based Cryptography—Pairing 2008. Lecture Notes in Computer Science, vol. 5209 (Springer, Berlin, 2008), pp. 18–38

    Chapter  Google Scholar 

  42. F. Hess, N. Smart, F. Vercauteren, The Eta pairing revisited. IEEE Trans. Inf. Theory 52, 4595–4602 (2006)

    Article  MathSciNet  Google Scholar 

  43. L. Hitt, On the minimal embedding field, in Pairing-Based Cryptography—Pairing 2007. Lecture Notes in Computer Science, vol. 4575 (Springer, Berlin, 2007), pp. 294–301

    Chapter  Google Scholar 

  44. A. Joux, A one round protocol for tripartite Diffie–Hellman, in Algorithmic Number Theory Symposium—ANTS-IV. Lecture Notes in Computer Science, vol. 1838 (Springer, Berlin, 2000), pp. 385–393. Full version: J. Cryptol. 17, 263–276 (2004)

    Chapter  Google Scholar 

  45. A. Joux, K. Nguyen, Separating decision Diffie–Hellman from computational Diffie–Hellman in cryptographic groups. J. Cryptol. 16, 239–247 (2003)

    MATH  Article  MathSciNet  Google Scholar 

  46. E. Kachisa, Constructing Brezing–Weng pairing friendly elliptic curves using elements in the cyclotomic field. M.Sc. dissertation, Mzuzu University, 2007

  47. E. Kachisa, E. Schaefer, M. Scott, Constructing Brezing–Weng pairing friendly elliptic curves using elements in the cyclotomic field, in Pairing-Based Cryptography—Pairing 2008. Lecture Notes in Computer Science, vol. 5209 (Springer, Berlin, 2008), pp. 126–135

    Chapter  Google Scholar 

  48. K. Karabina, On prime-order elliptic curves with embedding degrees 3, 4 and 6. M.Math. thesis, Univ. of Waterloo, Dept. of Combinatorics and Optimization, 2006

  49. K. Karabina, E. Teske, On prime-order elliptic curves with embedding degrees 3, 4 and 6, in Algorithmic Number Theory Symposium—ANTS-VIII. Lecture Notes in Computer Science, vol. 5011 (Springer, Berlin, 2008), pp. 102–117

    Chapter  Google Scholar 

  50. N. Koblitz, Good and bad uses of elliptic curves in cryptography. Mosc. Math. J. 2, 693–715 (2002) 805–806

    MATH  MathSciNet  Google Scholar 

  51. N. Koblitz, A. Menezes, Pairing-based cryptography at high security levels, in Proceedings of Cryptography and Coding: 10th IMA International Conference. Lecture Notes in Computer Science, vol. 3796 (Springer, Berlin, 2005), pp. 13–36

    Google Scholar 

  52. S. Lang, Elliptic Functions (Springer, Berlin, 1987)

    MATH  Google Scholar 

  53. S. Lang, Algebra, revised 3rd edn. (Springer, Berlin, 2002)

    MATH  Google Scholar 

  54. A.K. Lenstra, Unbelievable security: Matching AES security using public key systems, in Advances in Cryptology—Asiacrypt 2001. Lecture Notes in Computer Science, vol. 2248 (Springer, Berlin, 2001), pp. 67–86

    Chapter  Google Scholar 

  55. R. Lidl, H. Niederreiter, Finite Fields (Cambridge University Press, Cambridge, 1997)

    Google Scholar 

  56. F. Luca, I. Shparlinski, Elliptic curves with low embedding degree. J. Cryptol. 19, 553–562 (2006)

    MATH  Article  MathSciNet  Google Scholar 

  57. F. Luca, D. Mireles, I. Shparlinski, MOV attack in various subgroups on elliptic curves. Ill. J. Math. 48, 1041–1052 (2004)

    MATH  MathSciNet  Google Scholar 

  58. K. Matthews, The Diophantine equation x 2Dy 2=N, D>0. Expo. Math. 18, 323–331 (2000)

    MATH  MathSciNet  Google Scholar 

  59. A. Menezes, Elliptic Curve Public Key Cryptosystems (Kluwer Academic, Dordrecht, 1993)

    MATH  Google Scholar 

  60. A. Menezes, An introduction to pairing-based cryptography. Notes from lectures given in Santander, Spain, 2005. Available at: http://www.cacr.math.uwaterloo.ca/~ajmeneze/publications/pairings.pdf

  61. A. Menezes, S. Vanstone, Isomorphism classes of elliptic curves over finite fields of characteristic 2. Util. Math. 38, 135–153 (1990)

    MATH  MathSciNet  Google Scholar 

  62. A. Menezes, T. Okamoto, S. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory 39, 1639–1646 (1993)

    MATH  Article  MathSciNet  Google Scholar 

  63. V. Miller, The Weil pairing, and its efficient calculation. J. Cryptol. 17, 235–261 (2004)

    MATH  Article  Google Scholar 

  64. A. Miyaji, M. Nakabayashi, S. Takano, New explicit conditions of elliptic curve traces for FR-reduction. IEICE Trans. Fundam. E84-A(5), 1234–1243 (2001)

    Google Scholar 

  65. F. Morain, Classes d’isomorphismes des courbes elliptiques supersingulières en caracteristique ≥3. Util. Math. 52, 241–253 (1997)

    MATH  MathSciNet  Google Scholar 

  66. A. Murphy, N. Fitzpatrick, Elliptic curves for pairing applications, Cryptology ePrint Archive Report 2005/302. Available at: http://eprint.iacr.org/2005/302

  67. M. Naehrig, P.S.L.M. Barreto, P. Schwabe, On compressible pairings and their computation, in Progress in Cryptology—Africacrypt 2008. Lecture Notes in Computer Science, vol. 5023 (Springer, Berlin, 2008), pp. 371–388

    Chapter  Google Scholar 

  68. A. Odlyzko, Discrete logarithms in finite fields and their cryptographic significance, in Advances in Cryptology—Eurocrypt 1984. Lecture Notes in Computer Science, vol. 209 (Springer, Berlin, 1985), pp. 224–314

    Google Scholar 

  69. D. Page, N. Smart, F. Vercauteren, A comparison of MNT curves and supersingular curves. Appl. Algebra Eng., Commun. Comput. 17, 379–392 (2006)

    MATH  Article  MathSciNet  Google Scholar 

  70. K. Paterson, ID-based signatures from pairings on elliptic curves. Electron. Lett. 38, 1025–1026 (2002)

    Article  Google Scholar 

  71. S. Pohlig, M. Hellman, An improved algorithm for computing discrete logarithms over GF(p) and its cryptographic significance. IEEE Trans. Inf. Theory 24, 106–110 (1978)

    MATH  Article  MathSciNet  Google Scholar 

  72. J. Pollard, Monte Carlo methods for index computation (mod p). Math. Comput. 32, 918–924 (1978)

    MATH  Article  MathSciNet  Google Scholar 

  73. J. Robertson, Solving the generalized Pell equation x 2Dy 2=N. Unpublished manuscript, 2004. Available at: http://hometown.aol.com/jpr2718/pell.pdf

  74. K. Rubin, A. Silverberg, Finding composite order ordinary elliptic curves using the Cocks–Pinch method, in preparation

  75. R. Sakai, K. Ohgishi, M. Kasahara, Cryptosystems based on pairings, in 2000 Symposium on Cryptography and Information Security—SCIS 2000, Okinawa, Japan, 2000

  76. E. Schaefer, A new proof for the non-degeneracy of the Frey–Rück pairing and a connection to isogenies over the base field, in Computational Aspects of Algebraic Curves. Lecture Notes Ser. Comput., vol. 13 (World Scientific, Singapore, 2005), pp. 1–12

    Chapter  Google Scholar 

  77. O. Schirokauer, The number field sieve for integers of low weight. Math. Comput. to appear. Preprint available at: http://eprint.iacr.org/2006/107/

  78. M. Scott, Computing the Tate pairing, in Topics in Cryptology—CT-RSA 2005. Lecture Notes in Computer Science, vol. 3376 (Springer, Berlin, 2005), pp. 293–304

    Google Scholar 

  79. M. Scott, Implementing cryptographic pairings, in Pairing-Based Cryptography—Pairing 2007. Lecture Notes in Computer Science, vol. 4575 (Springer, Berlin, 2007), pp. 177–196

    Google Scholar 

  80. M. Scott, P.S.L.M. Barreto, Compressed pairings, in Advances in Cryptology—Crypto 2004. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 140–156

    Google Scholar 

  81. M. Scott, P.S.L.M. Barreto, Generating more MNT elliptic curves. Des. Codes Cryptogr. 38, 209–217 (2006)

    MATH  Article  MathSciNet  Google Scholar 

  82. J. Silverman, The Arithmetic of Elliptic Curves (Springer, Berlin, 1986)

    MATH  Google Scholar 

  83. A. Sutherland, Computing Hilbert class polynomials with the Chinese remainder theorem. Preprint, 2009. Available at http://arxiv.org/abs/0903.2785

  84. S. Tanaka, K. Nakamula, Constructing pairing-friendly elliptic curves using factorization of cyclotomic polynomials, in Pairing-Based Cryptography—Pairing 2008. Lecture Notes in Computer Science, vol. 5209 (Springer, Berlin, 2008), pp. 136–145

    Chapter  Google Scholar 

  85. J. Tate, Endomorphisms of abelian varieties over finite fields. Invent. Math. 2, 134–144 (1966)

    MATH  Article  MathSciNet  Google Scholar 

  86. P.C. van Oorschot, M.J. Wiener, Parallel collision search with cryptanalytic applications. J. Cryptol. 12, 1–18 (1999)

    MATH  Article  Google Scholar 

  87. E. Verheul, Evidence that XTR is more secure than supersingular elliptic curve cryptosystems. J. Cryptol. 17, 277–296 (2004)

    MATH  Article  MathSciNet  Google Scholar 

  88. W. Waterhouse, Abelian varieties over finite fields. Ann. Sci. École Norm. Sup. (IV) 2, 521–560 (1969)

    MATH  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to David Freeman.

Additional information

Communicated by Dan Boneh

Rights and permissions

Open Access This is an open access article distributed under the terms of the Creative Commons Attribution Noncommercial License (https://creativecommons.org/licenses/by-nc/2.0), which permits any noncommercial use, distribution, and reproduction in any medium, provided the original author(s) and source are credited.

Reprints and Permissions

About this article

Cite this article

Freeman, D., Scott, M. & Teske, E. A Taxonomy of Pairing-Friendly Elliptic Curves. J Cryptol 23, 224–280 (2010). https://doi.org/10.1007/s00145-009-9048-z

Download citation

  • Received:

  • Revised:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00145-009-9048-z

Keywords

  • Elliptic curves
  • Pairing-based cryptosystems
  • Embedding degree
  • Efficient implementation