Constructing Elliptic Curves with Prescribed Embedding Degrees

  • Paulo S. L. M. Barreto
  • Ben Lynn
  • Michael Scott
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2576)


Pairing-based cryptosystems depend on the existence of groups where the Decision Diffie-Hellman problem is easy to solve, but the Computational Diffie-Hellman problem is hard. Such is the case of elliptic curve groups whose embedding degree is large enough to maintain a good security level, but small enough for arithmetic operations to be feasible. However, the embedding degree for most elliptic curves is enormous, and the few previously known suitable elliptic curves have embedding degree k ≤ 6. In this paper, we examine criteria for curves with larger k that generalize prior work by Miyaji et al. based on the properties of cyclotomic polynomials, and propose efficient representations for the underlying algebraic structures.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    A. Agashe, K. Lauter, R. Venkatesan, “Constructing elliptic curves with a given number of points over a finite field,” Cryptology ePrint Archive, Report 2001/096,
  2. 2.
    R. Balasubramanian, N. Koblitz, “The improbability that an Elliptic Curve has Subexponential Discrete Log Problem under the Menezes-Okamoto-Vanstone Algorithm,” Journal of Cryptology, Vol. 11, No. 2, 1998, pp. 141–145.MATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    P. S. L. M. Barreto, H. Y. Kim, B. Lynn, M. Scott, “Efficient Algorithms for Pairing-Based Cryptosystems,” Cryptology ePrint Archive, Report 2002/008,
  4. 4.
    I. Blake, G. Seroussi and N. Smart, “Elliptic Curves in Cryptography,” Cambridge University Press, 1999.Google Scholar
  5. 5.
    D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairing,” Advances in Cryptology-Crypto’2001, Lecture Notes in Computer Science 2139, pp. 213–229, Springer-Verlag, 2001.Google Scholar
  6. 6.
    D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the Weil pairing,” Asiacrypt’2001, Lecture Notes in Computer Science 2248, pp. 514–532, Springer-Verlag, 2002.Google Scholar
  7. 7.
    R. Crandall and C. Pomerance, “Prime Numbers: a Computational Perspective,” Springer-Verlag, 2001.Google Scholar
  8. 8.
    R. Dupont, A. Enge, F. Morain “Building curves with arbitrary small MOV degree over finite prime fields,” Cryptology ePrint Archive, Report 2002/094, available at
  9. 9.
    G. Frey, M. Müller, and H. Rück, “The Tate Pairing and the Discrete Logarithm Applied to Elliptic Curve Cryptosystems,” IEEE Transactions on Information Theory, 45(5), pp. 1717–1719, 1999.MATHCrossRefGoogle Scholar
  10. 10.
    G. Frey and H. Rück, “A Remark Concerning m-Divisibility and the Discrete Logarithm in the Divisor Class Group of Curves,” Mathematics of Computation, 62 (1994), pp. 865–874.MATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    S. D.T Galbraith, K. Harrison, D. Solera, ldImplementing the Tate pairing,“ Algorithmic Number Theory-ANTS” V, 2002, to appear.Google Scholar
  12. 12.
    F. Hess, “Exponent Group Signature Schemes and Efficient Identity Based Signature Schemes Based on Pairings,” Cryptology ePrint Archive, Report 2002/012, available at
  13. 13.
    IEEE Std 2000-1363, “Standard Specifications for Public Key Cryptography,” 2000.Google Scholar
  14. 14.
    A. Joux, “A one-round protocol for tripartite Diffie-Hellman,” Algorithm Number Theory Symposium-ANTS IV, Lecture Notes in Computer Science 1838, pp. 385–394, Springer-Verlag, 2000.CrossRefGoogle Scholar
  15. 15.
    A. Joux and K. Nguyen, “Separating Decision Diffie-Hellman from Diffie-Hellman in Cryptographic Groups,” Cryptology ePrint Archive, Report 2001/003,
  16. 16.
    G. J. Lay, H. G. Zimmer, “Constructing Elliptic Curves with Given Group Order over Large Finite Fields,” Algorithmic Number Theory Symposium-ANTS I, Lecture Notes in Computer Science 877 (1994), pp. 250–263.Google Scholar
  17. 17.
    R. Lidl and H. Niederreiter, “Introduction to finite fields and their applications,” Cambridge University Press, 1986.Google Scholar
  18. 18.
    A. Menezes, T. Okamoto and S. Vanstone, “Reducing elliptic curve logarithms to logarithms in a finite field,” IEEE Transactions on Information Theory 39(1993), pp. 1639–1646.MATHCrossRefMathSciNetGoogle Scholar
  19. 19.
    A. Miyaji, M. Nakabayashi, and S. Takano, “New explicit conditions of elliptic curve traces for FR-reduction,” IEICE Trans. Fundamentals, Vol. E84 A, no. 5, May 2001.Google Scholar
  20. 20.
    F. Morain, “Building cyclic elliptic curves modulo large primes,” Advances in Cryptology-Eurocrypt’91, Lecture Notes in Computer Science 547 (1991), pp. 328–336.Google Scholar
  21. 21.
    T. Nagell, “Introduction to Number Theory,” 2nd reprint edition, Chelsea Publishing, 2001.Google Scholar
  22. 22.
    K. G. Paterson, “ID-based signatures from pairings on elliptic curves,” Cryptology ePrint Archive, Report 2002/004, available at
  23. 23.
    R. Sakai, K. Ohgishi and M. Kasahara, “Cryptosystems based on pairing,” 2000 Symposium on Cryptography and Information Security (SCIS2000), Okinawa, Japan, Jan. 26–28, 2000.Google Scholar
  24. 24.
    O. Schirokauer, D. Weber and T. Denny, “Discrete Logarithms: the Effectiveness of the Index Calculus Method,” ANTS, pp. 337–361, 1996.Google Scholar
  25. 25.
    J. H. Silverman, “Elliptic curve discrete logarithms and the index calculus,” Workshop on Elliptic Curve Cryptography (ECC’98), September 14–16, 1998.Google Scholar
  26. 26.
    N. P. Smart, “The Algorithmic Resolution of Diophantine Equations,” London Mathematical Society Student Text 41, Cambridge University Press, 1998.Google Scholar
  27. 27.
    N. Smart, “An Identity Based Authenticated Key Agreement Protocol Based on the Weil Pairing,” Cryptology ePrint Archive, Report 2001/111, available at
  28. 28.
    N. Tzanakis, “Solving elliptic diophantine equations by estimating linear forms in elliptic logarithms. The case of quartic equations,” Acta Arithmetica 75 (1996), pp. 165–190.MATHMathSciNetGoogle Scholar
  29. 29.
    E. Verheul, “Self-blindable Credential Certificates from the Weil Pairing,” Advances in Cryptology-Asiacrypt’2001, Lecture Notes in Computer Science 2248 (2002), pp 533–551.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Paulo S. L. M. Barreto
    • 1
  • Ben Lynn
    • 2
  • Michael Scott
    • 3
  1. 1.Laboratório de Arquitetura e Redes de Computadores (LARC) Escola PolitécnicaUniversidade de São PauloBrazil
  2. 2.Computer Science DepartmentStanford UniversityUSA
  3. 3.School of Computer ApplicationsDublin City UniversityBallymunIreland

Personalised recommendations