## Generating Prime Order Elliptic Curves: Difficulties and Efficiency (2005)

Venue: | Considerations, in International Conference on Information Security and Cryptology – ICISC 2004, Lecture Notes in Computer Science |

Citations: | 2 - 2 self |

### BibTeX

@INPROCEEDINGS{Konstantinou05generatingprime,

author = {Elisavet Konstantinou and Aristides Kontogeorgis and Yannis C. Stamatiou and Christos Zaroliagis},

title = {Generating Prime Order Elliptic Curves: Difficulties and Efficiency},

booktitle = {Considerations, in International Conference on Information Security and Cryptology – ICISC 2004, Lecture Notes in Computer Science},

year = {2005},

pages = {261--278},

publisher = {Springer}

}

### OpenURL

### Abstract

Abstract. We consider the generation of prime order elliptic curves (ECs) over a prime field Fp using the Complex Multiplication (CM) method. A crucial step of this method is to compute the roots of a special type of class field polynomials with the most commonly used being the Hilbert and Weber ones, uniquely determined by the CM discriminant D. In attempting to construct prime order ECs using Weber polynomials two difficulties arise (in addition to the necessary transformations of the roots of such polynomials to those of their Hilbert counterparts). The first one is that the requirement of prime order necessitates that D ≡ 3 (mod 8), which gives Weber polynomials with degree three times larger than the degree of their corresponding Hilbert polynomials (a fact that could affect efficiency). The second difficulty is that these Weber polynomials do not have roots in Fp. In this paper we show how to overcome the above difficulties and provide efficient methods for generating ECs of prime order supported by a thorough experimental study. In particular,

### Citations

974 |
A Course in Computational Algebraic Number Theory, Springer-Verlag, Fourth Printing
- Cohen
- 2000
(Show Context)
Citation Context ...iptic curve cryptosystems the prime p is at least 160 bits. Therefore, an arbitrary prime almost certainly does not divide the discriminant. 2 For a definition of the discriminant of a polynomial see =-=[7]-=-.sGenerating Prime Order Elliptic Curves 267 3 The CM Method Using Weber Polynomials In this section we define Weber polynomials for discriminant values D ≡ 3 (mod 8) and prove that they do not have r... |

592 | Short signatures from the weil pairing
- Boneh, Lynn, et al.
(Show Context)
Citation Context ...tant alternative to cryptographic strength (see e.g., [26]) requires that the order of the generated EC is a prime number. Note that in certain applications it is necessary to have ECs of prime order =-=[6]-=-. Prime order ECs defined in various fields were also treated in [2, 16, 20, 23]. In this paper we follow the latter approach and study the use of the CM method for generating ECs of prime order in Fp... |

174 | Elliptic curves and primality proving
- Atkin, Morain
- 1993
(Show Context)
Citation Context ...entral considerations in Elliptic Curve Cryptography. One of the most efficient methods that can be employed for the construction of ECs with specified order is the Complex Multiplication (CM) method =-=[1, 17]-=-. Briefly, the CM method starts with the specification of a discriminant value D, the determination of the order p of the underlying prime field and the order m of the EC. It then computes a special p... |

161 |
Factoring polynomials over large finite fields
- Berlekamp
- 1970
(Show Context)
Citation Context ...y, compared to that of Weber polynomials for the case of prime order elliptic curves. Since MD,l(x) has roots RM modulo p, we use an algorithm for their computation (for example Berlekamp’s algorithm =-=[4]-=-) and then we can compute the roots RH modulo p of the corresponding Hilbert polynomial HD(x) from the modular equation Φl(RM ,RH) =0. We finally note that the precision required for the construction ... |

113 |
Primes of the form x 2 + ny 2
- Cox
- 1989
(Show Context)
Citation Context ...cepts and terms, the interested reader may consult [5]. Also, the proofs of certain theorems require basic knowledge of algebraic number theory and Galois theory. The interested reader is referred to =-=[8, 31, 32]-=- for definitions not given here due to lack of space. 2.1 Preliminaries of Elliptic Curve Theory An elliptic curve defined over a finite field Fp, p>3 and prime, is denoted by E(Fp) and contains the p... |

25 |
Comparing invariants for class fields of imaginary quadratic fields
- Enge, Morain
- 2002
(Show Context)
Citation Context ...nd moreover, the computation of mp1,p2 (z) involves the computation of four η-products and not two like ml(z). In order to construct the polynomial MD,l(x) with l =3, 5, 7, 13, we used Theorem 2 from =-=[9]-=- which for our purposes boils down to the following statement. Theorem 4. [9] Let l ∈{3, 5, 7, 13} and D>0 a discriminant such that l|D. Choose the power me l as specified in Table 1 . Assume Q =[A, B... |

16 |
Elliptic curves
- Blake, Seroussi, et al.
- 1999
(Show Context)
Citation Context ... et al. the Hilbert class field polynomials. Our aim is to facilitate the reading of the sections that follow. For full coverage of the necessary concepts and terms, the interested reader may consult =-=[5]-=-. Also, the proofs of certain theorems require basic knowledge of algebraic number theory and Galois theory. The interested reader is referred to [8, 31, 32] for definitions not given here due to lack... |

12 | Explicit construction of the Hilbert class fields of imaginary quadratic fields by integer lattice reduction
- Kaltofen, Yui
- 1989
(Show Context)
Citation Context ...(i) if D ≡ 0 (mod 3), then c = −1; (ii) if D �≡ 0 (mod 3), then c = −2. Proof. The constant term of the Weber polynomial is equal to (−1) h for the first case of D and (−2) h for the second case (see =-=[14]-=-). The Galois group of the extension HK/K operates on the roots modulo p of HD(x), and therefore on the cubic irreducible factors of WD(x) (every root of HD(x) corresponds to three roots of WD(x) and ... |

10 |
Efficient Algorithms for Generating Elliptic Curves over Finite Fields Suitable for Use in Cryptography
- Baier
- 2002
(Show Context)
Citation Context ...our experiments showedsGenerating Prime Order Elliptic Curves 273 that it is necessary for the proper construction of the polynomial MD,l(x). For example, for D = 51 the reduced forms are [1, 1, 13], =-=[3, 3, 5]-=- and the corresponding forms [Ai,Bi,Ci] forl = 3 are [67, 63, 15], [11, 9, 3]. The invariants me l (τ) are related with j(τ) through the modular equation Φl(me l (τ),j(τ)) = 0, based on the definition... |

10 | The probability that the number of points on an elliptic curve over a finite field is prime
- McKee
(Show Context)
Citation Context ...s generated and the process is repeated. This can be seen, approximately, as sampling from the set of ECs of prime order (for a fixed p). There is well supported theoretical and experimental evidence =-=[11]-=- that this cp probability is, asymptotically, log p , where cp is a constant depending on p and satisfying 0.44 ≤ cp ≤ 0.62. Thus, it appears that prime orders are not especially favored by the point ... |

8 |
On the Efficient Generation of Elliptic Curves over Prime Fields
- Konstantinou, Stamatiou, et al.
(Show Context)
Citation Context ...273 that it is necessary for the proper construction of the polynomial MD,l(x). For example, for D = 51 the reduced forms are [1, 1, 13], [3, 3, 5] and the corresponding forms [Ai,Bi,Ci] forl = 3 are =-=[67, 63, 15]-=-, [11, 9, 3]. The invariants me l (τ) are related with j(τ) through the modular equation Φl(me l (τ),j(τ)) = 0, based on the definitions of Φl(x, j) for the different values of l given in Table 2. Tab... |

7 |
Constructing Elliptic Curves from Modular Curves of Positive Genus
- Enge, Schertz
- 2003
(Show Context)
Citation Context ...ynomials. In particular, two types of polynomials can be constructed in Z[x] using two families of ηproducts: ml(z) = η(z/l) η(z) [21] for an integer l, andmp1,p2 (z) = η(z/p1)η(z/p2) η(z/(p1p2))η(z) =-=[10]-=-, where p1,p2 are primes such that 24|(p1 − 1)(p2 − 1). We will refer to the minimal polynomials of these products (powers of which generate the Hilbert class field and are called class invariants lik... |

6 | Elliptic Curves of Prime Order over Optimal Extension Fields for Use in Cryptography
- Baier
(Show Context)
Citation Context ... that the order of the generated EC is a prime number. Note that in certain applications it is necessary to have ECs of prime order [6]. Prime order ECs defined in various fields were also treated in =-=[2, 16, 20, 23]-=-. In this paper we follow the latter approach and study the use of the CM method for generating ECs of prime order in Fp. Although ECs with no restrictions on their order may be generated more efficie... |

6 | On the construction of prime order elliptic curves
- Konstantinou, Stamatiou, et al.
(Show Context)
Citation Context ... that the order of the generated EC is a prime number. Note that in certain applications it is necessary to have ECs of prime order [6]. Prime order ECs defined in various fields were also treated in =-=[2, 16, 20, 23]-=-. In this paper we follow the latter approach and study the use of the CM method for generating ECs of prime order in Fp. Although ECs with no restrictions on their order may be generated more efficie... |