Results 1  10
of
18
A taxonomy of pairingfriendly elliptic curves
, 2006
"... Elliptic curves with small embedding degree and large primeorder subgroup are key ingredients for implementing pairingbased cryptographic systems. Such “pairingfriendly” curves are rare and thus require specific constructions. In this paper we give a single coherent framework that encompasses all ..."
Abstract

Cited by 82 (10 self)
 Add to MetaCart
Elliptic curves with small embedding degree and large primeorder subgroup are key ingredients for implementing pairingbased cryptographic systems. Such “pairingfriendly” curves are rare and thus require specific constructions. In this paper we give a single coherent framework that encompasses all of the constructions of pairingfriendly elliptic curves currently existing in the literature. We also include new constructions of pairingfriendly curves that improve on the previously known constructions for certain embedding degrees. Finally, for all embedding degrees up to 50, we provide recommendations as to which pairingfriendly curves to choose to best satisfy a variety of performance and security requirements.
The complexity of class polynomial computation via floating point approximations. ArXiv preprint
, 601
"... Abstract. We analyse the complexity of computing class polynomials, that are an important ingredient for CM constructions of elliptic curves, via complex floating point approximations of their roots. The heart of the algorithm is the evaluation of modular functions in several arguments. The fastest ..."
Abstract

Cited by 34 (5 self)
 Add to MetaCart
Abstract. We analyse the complexity of computing class polynomials, that are an important ingredient for CM constructions of elliptic curves, via complex floating point approximations of their roots. The heart of the algorithm is the evaluation of modular functions in several arguments. The fastest one of the presented approaches uses a technique devised by Dupont to evaluate modular functions by Newton iterations on an expression involving the arithmeticgeometric mean. Under the heuristic assumption, justified by experiments, that the correctness of the result is not perturbed by rounding errors, the algorithm runs in time “p “p ”” 3 2 O Dlog D  M Dlog D  ⊆ O ` Dlog 6+ε D  ´ ⊆ O ` h 2+ε´ for any ε> 0, where D is the CM discriminant, h is the degree of the class polynomial and M(n) is the time needed to multiply two nbit numbers. Up to logarithmic factors, this running time matches the size of the constructed polynomials. The estimate also relies on a new result concerning the complexity of enumerating the class group of an imaginary quadratic order and on a rigorously proven upper bound for the height of class polynomials. 1. Motivation and
The 2adic CM method for genus 2 curves with application to cryptography
 in ASIACRYPT ‘06, Springer LNCS 4284
, 2006
"... Abstract. The complex multiplication (CM) method for genus 2 is currently the most efficient way of generating genus 2 hyperelliptic curves defined over large prime fields and suitable for cryptography. Since low class number might be seen as a potential threat, it is of interest to push the method ..."
Abstract

Cited by 19 (1 self)
 Add to MetaCart
Abstract. The complex multiplication (CM) method for genus 2 is currently the most efficient way of generating genus 2 hyperelliptic curves defined over large prime fields and suitable for cryptography. Since low class number might be seen as a potential threat, it is of interest to push the method as far as possible. We have thus designed a new algorithm for the construction of CM invariants of genus 2 curves, using 2adic lifting of an input curve over a small finite field. This provides a numerically stable alternative to the complex analytic method in the first phase of the CM method for genus 2. As an example we compute an irreducible factor of the Igusa class polynomial system for the quartic CM field Q(i p 75 + 12 √ 17), whose class number is 50. We also introduce a new representation to describe the CM curves: a set of polynomials in (j1, j2, j3) which vanish on the precise set of triples which are the Igusa invariants of curves whose Jacobians have CM by a prescribed field. The new representation provides a speedup in the second phase, which uses Mestre’s algorithm to construct a genus 2 Jacobian of prime order over a large prime field for use in cryptography. 1
Computing modular polynomials in quasilinear time
 Mathematics of Computation
"... Abstract. We analyse and compare the complexity of several algorithms for computing modular polynomials. Under the assumption that rounding errors do not influence the correctness of the result, which appears to be satisfied in practice, we show that an algorithm relying on floating point evaluation ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
Abstract. We analyse and compare the complexity of several algorithms for computing modular polynomials. Under the assumption that rounding errors do not influence the correctness of the result, which appears to be satisfied in practice, we show that an algorithm relying on floating point evaluation of modular functions and on interpolation has a complexity that is up to logarithmic factors linear in the size of the computed polynomials. In particular, it obtains the classical modular polynomial Φℓ of prime level ℓ in time O ( ℓ 2 log 3 ℓM(ℓ) ) ⊆ O ( ℓ 3 log 4+ε ℓ), where M(ℓ) is the time needed to multiply two ℓbit numbers. Besides treating modular polynomials for Γ0 (ℓ), which are an important ingredient in many algorithms dealing with isogenies of elliptic curves, the algorithm is easily adapted to more general situations. Composite levels are handled just as easily as prime levels, as well as polynomials between a modular function and its transform of prime level, such as the Schläfli polynomials and their generalisations.
A padic algorithm to compute the Hilbert class polynomial
 in ASIACRYPT ’98 Springer LNCS 1514
, 2007
"... Abstract. Classicaly, the Hilbert class polynomial P ∆ ∈ Z[X] of an imaginary quadratic discriminant ∆ is computed using complex analytic techniques. In 2002, Couveignes and Henocq [5] suggested a padic algorithm to compute P∆. Unlike the complex analytic method, it does not suffer from problems c ..."
Abstract

Cited by 14 (4 self)
 Add to MetaCart
Abstract. Classicaly, the Hilbert class polynomial P ∆ ∈ Z[X] of an imaginary quadratic discriminant ∆ is computed using complex analytic techniques. In 2002, Couveignes and Henocq [5] suggested a padic algorithm to compute P∆. Unlike the complex analytic method, it does not suffer from problems caused by rounding errors. In this paper we complete the outline given in [5] and we prove that, if the Generalized Riemann Hypothesis holds true, the expected runtime of the padic algorithm is eO(∆). We illustrate the algorithm by computing the polynomial P−639 using a 643adic algorithm. 1.
MODULAR POLYNOMIALS VIA ISOGENY VOLCANOES
, 2010
"... We present a new algorithm to compute the classical modular polynomial Φl in the rings Z[X, Y] and (Z/mZ)[X, Y], for a prime l and any positive integer m. Our approach uses the graph of lisogenies to efficiently compute Φl mod p for many primes p of a suitable form, and then applies the Chinese R ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
We present a new algorithm to compute the classical modular polynomial Φl in the rings Z[X, Y] and (Z/mZ)[X, Y], for a prime l and any positive integer m. Our approach uses the graph of lisogenies to efficiently compute Φl mod p for many primes p of a suitable form, and then applies the Chinese Remainder Theorem (CRT). Under the Generalized Riemann Hypothesis (GRH), we achieve an expected running time of O(l3 (log l) 3 log log l), and compute Φl mod m using O(l2 (log l) 2 + l2 log m) space. We have used the new algorithm to compute Φl with l over 5000, and Φl mod m with l over 20000. We also consider several modular functions g for which Φ g l is smaller than Φl, allowing us to handle l over 60000.
CONSTRUCTING PAIRINGFRIENDLY HYPERELLIPTIC CURVES USING WEIL RESTRICTION
"... Abstract. A pairingfriendly curve is a curve over a finite field whose Jacobian has small embedding degree with respect to a large primeorder subgroup. In this paper we construct pairingfriendly genus 2 curves over finite fields Fq whose Jacobians are ordinary and simple, but not absolutely simpl ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Abstract. A pairingfriendly curve is a curve over a finite field whose Jacobian has small embedding degree with respect to a large primeorder subgroup. In this paper we construct pairingfriendly genus 2 curves over finite fields Fq whose Jacobians are ordinary and simple, but not absolutely simple. We show that constructing such curves is equivalent to constructing elliptic curves over Fq that become pairingfriendly over a finite extension of Fq. Our main proof technique is Weil restriction of elliptic curves. We describe adaptations of the CocksPinch and BrezingWeng methods that produce genus 2 curves with the desired properties. Our examples include a parametric family of genus 2 curves whose Jacobians have the smallest recorded ρvalue for simple, nonsupersingular abelian surfaces. 1.
CONSTRUCTING ELLIPTIC CURVES OF PRIME ORDER
"... Abstract. We present a very efficient algorithm to construct an elliptic curve E and a finite field F such that the order of the point group E(F) is a given prime number N. Heuristically, this algorithm only takes polynomial time e O((log N) 3), and it is so fast that it may profitably be used to ta ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
Abstract. We present a very efficient algorithm to construct an elliptic curve E and a finite field F such that the order of the point group E(F) is a given prime number N. Heuristically, this algorithm only takes polynomial time e O((log N) 3), and it is so fast that it may profitably be used to tackle the related problem of finding elliptic curves with point groups of prime order of prescribed size. We also discuss the impact of the use of high level modular functions to reduce the run time by large constant factors and show that recent gonality bounds for modular curves imply limits on the time reduction that can be obtained. 1.
CLASS INVARIANTS BY THE CRT METHOD
, 1001
"... Abstract. We adapt the CRTapproach to computing Hilbertclass polynomials to handle a wide range of class invariants. Forsuitable discriminantsD, this improves its performance by a large constant factor, more than 200 in the most favourable circumstances. This has enabled recordbreaking construction ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Abstract. We adapt the CRTapproach to computing Hilbertclass polynomials to handle a wide range of class invariants. Forsuitable discriminantsD, this improves its performance by a large constant factor, more than 200 in the most favourable circumstances. This has enabled recordbreaking constructions of elliptic curves via the CM method, including examples with D > 10 15. 1.
Efficient CMconstructions of elliptic curves over finite fields
 MATH. COMP.
, 2007
"... We present an algorithm that, on input of an integer N ≥ 1 together with its prime factorization, constructs a finite field F and an elliptic curve E over F for which E(F) hasorderN. Although it is unproved that this can be done for all N, a heuristic analysis shows that the algorithm has an expect ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
We present an algorithm that, on input of an integer N ≥ 1 together with its prime factorization, constructs a finite field F and an elliptic curve E over F for which E(F) hasorderN. Although it is unproved that this can be done for all N, a heuristic analysis shows that the algorithm has an expected run time that is polynomial in 2 ω(N) log N, whereω(N) isthe number of distinct prime factors of N. In the cryptographically relevant case where N is prime, an expected run time O((log N) 4+ε) can be achieved. We illustrate the efficiency of the algorithm by constructing elliptic curves with point groups of order N =10 2004 and N = nextprime(10 2004)=10 2004 +4863.