# Constructing Elliptic Curves with Prescribed Embedding Degrees

## Abstract

Pairing-based cryptosystems depend on the existence of groups where the Decision Diffie-Hellman problem is easy to solve, but the Computational Diffie-Hellman problem is hard. Such is the case of elliptic curve groups whose embedding degree is large enough to maintain a good security level, but small enough for arithmetic operations to be feasible. However, the embedding degree for most elliptic curves is enormous, and the few previously known suitable elliptic curves have embedding degree *k* ≤ 6. In this paper, we examine criteria for curves with larger *k* that generalize prior work by Miyaji *et al*. based on the properties of cyclotomic polynomials, and propose efficient representations for the underlying algebraic structures.

## Keywords

Elliptic Curve Complex Multiplication Signature Scheme Elliptic Curf Discrete Logarithm## Preview

Unable to display preview. Download preview PDF.

## References

- 1.A. Agashe, K. Lauter, R. Venkatesan, “Constructing elliptic curves with a given number of points over a finite field,” Cryptology ePrint Archive, Report 2001/096, http://eprint.iacr.org/2001/096/.
- 2.R. Balasubramanian, N. Koblitz, “The improbability that an Elliptic Curve has Subexponential Discrete Log Problem under the Menezes-Okamoto-Vanstone Algorithm,”
*Journal of Cryptology*, Vol. 11, No. 2, 1998, pp. 141–145.zbMATHCrossRefMathSciNetGoogle Scholar - 3.P. S. L. M. Barreto, H. Y. Kim, B. Lynn, M. Scott, “Efficient Algorithms for Pairing-Based Cryptosystems,” Cryptology ePrint Archive, Report 2002/008, http://eprint.iacr.org/2002/008/.
- 4.I. Blake, G. Seroussi and N. Smart, “Elliptic Curves in Cryptography,” Cambridge University Press, 1999.Google Scholar
- 5.D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairing,” Advances in Cryptology-Crypto’2001, Lecture Notes in Computer Science
**2139**, pp. 213–229, Springer-Verlag, 2001.Google Scholar - 6.D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the Weil pairing,” Asiacrypt’2001, Lecture Notes in Computer Science
**2248**, pp. 514–532, Springer-Verlag, 2002.Google Scholar - 7.R. Crandall and C. Pomerance, “Prime Numbers: a Computational Perspective,” Springer-Verlag, 2001.Google Scholar
- 8.R. Dupont, A. Enge, F. Morain “Building curves with arbitrary small MOV degree over finite prime fields,” Cryptology ePrint Archive, Report 2002/094, available at http://eprint.iacr.org/2002/094.
- 9.G. Frey, M. Müller, and H. Rück, “The Tate Pairing and the Discrete Logarithm Applied to Elliptic Curve Cryptosystems,” IEEE Transactions on Information Theory, 45(5), pp. 1717–1719, 1999.zbMATHCrossRefGoogle Scholar
- 10.G. Frey and H. Rück, “A Remark Concerning
*m*-Divisibility and the Discrete Logarithm in the Divisor Class Group of Curves,” Mathematics of Computation, 62 (1994), pp. 865–874.zbMATHCrossRefMathSciNetGoogle Scholar - 11.S. D.T Galbraith, K. Harrison, D. Solera, ldImplementing the Tate pairing,“ Algorithmic Number Theory-ANTS” V, 2002, to appear.Google Scholar
- 12.F. Hess, “Exponent Group Signature Schemes and Efficient Identity Based Signature Schemes Based on Pairings,” Cryptology ePrint Archive, Report 2002/012, available at http://eprint.iacr.org/2002/012/.
- 13.IEEE Std 2000-1363, “Standard Specifications for Public Key Cryptography,” 2000.Google Scholar
- 14.A. Joux, “A one-round protocol for tripartite Diffie-Hellman,” Algorithm Number Theory Symposium-ANTS IV, Lecture Notes in Computer Science
**1838**, pp. 385–394, Springer-Verlag, 2000.CrossRefGoogle Scholar - 15.A. Joux and K. Nguyen, “Separating Decision Diffie-Hellman from Diffie-Hellman in Cryptographic Groups,” Cryptology ePrint Archive, Report 2001/003, http://eprint.iacr.org/2001/003/.
- 16.G. J. Lay, H. G. Zimmer, “Constructing Elliptic Curves with Given Group Order over Large Finite Fields,” Algorithmic Number Theory Symposium-ANTS I, Lecture Notes in Computer Science
**877**(1994), pp. 250–263.Google Scholar - 17.R. Lidl and H. Niederreiter, “Introduction to finite fields and their applications,” Cambridge University Press, 1986.Google Scholar
- 18.A. Menezes, T. Okamoto and S. Vanstone, “Reducing elliptic curve logarithms to logarithms in a finite field,” IEEE Transactions on Information Theory 39(1993), pp. 1639–1646.zbMATHCrossRefMathSciNetGoogle Scholar
- 19.A. Miyaji, M. Nakabayashi, and S. Takano, “New explicit conditions of elliptic curve traces for FR-reduction,” IEICE Trans. Fundamentals, Vol. E84 A, no. 5, May 2001.Google Scholar
- 20.F. Morain, “Building cyclic elliptic curves modulo large primes,” Advances in Cryptology-Eurocrypt’91, Lecture Notes in Computer Science
**547**(1991), pp. 328–336.Google Scholar - 21.T. Nagell, “Introduction to Number Theory,” 2nd reprint edition, Chelsea Publishing, 2001.Google Scholar
- 22.K. G. Paterson, “ID-based signatures from pairings on elliptic curves,” Cryptology ePrint Archive, Report 2002/004, available at http://eprint.iacr.org/2002/004/.
- 23.R. Sakai, K. Ohgishi and M. Kasahara, “Cryptosystems based on pairing,” 2000 Symposium on Cryptography and Information Security (SCIS2000), Okinawa, Japan, Jan. 26–28, 2000.Google Scholar
- 24.O. Schirokauer, D. Weber and T. Denny, “Discrete Logarithms: the Effectiveness of the Index Calculus Method,” ANTS, pp. 337–361, 1996.Google Scholar
- 25.J. H. Silverman, “Elliptic curve discrete logarithms and the index calculus,” Workshop on Elliptic Curve Cryptography (ECC’98), September 14–16, 1998.Google Scholar
- 26.N. P. Smart, “The Algorithmic Resolution of Diophantine Equations,” London Mathematical Society Student Text
**41**, Cambridge University Press, 1998.Google Scholar - 27.N. Smart, “An Identity Based Authenticated Key Agreement Protocol Based on the Weil Pairing,” Cryptology ePrint Archive, Report 2001/111, available at http://eprint.iacr.org/2001/111/.
- 28.N. Tzanakis, “Solving elliptic diophantine equations by estimating linear forms in elliptic logarithms. The case of quartic equations,”
*Acta Arithmetica***75**(1996), pp. 165–190.zbMATHMathSciNetGoogle Scholar - 29.E. Verheul, “Self-blindable Credential Certificates from the Weil Pairing,” Advances in Cryptology-Asiacrypt’2001, Lecture Notes in Computer Science
**2248**(2002), pp 533–551.CrossRefGoogle Scholar