## A taxonomy of pairing-friendly elliptic curves (2006)

### Cached

### Download Links

Citations: | 78 - 10 self |

### BibTeX

@MISC{Freeman06ataxonomy,

author = {David Freeman and Michael Scott and Edlyn Teske},

title = {A taxonomy of pairing-friendly elliptic curves},

year = {2006}

}

### Years of Citing Articles

### OpenURL

### Abstract

Elliptic curves with small embedding degree and large prime-order subgroup are key ingredients for implementing pairingbased cryptographic systems. Such “pairing-friendly” curves are rare and thus require specific constructions. In this paper we give a single coherent framework that encompasses all of the constructions of pairing-friendly elliptic curves currently existing in the literature. We also include new constructions of pairing-friendly curves that improve on the previously known constructions for certain embedding degrees. Finally, for all embedding degrees up to 50, we provide recommendations as to which pairing-friendly curves to choose to best satisfy a variety of performance and security requirements.

### Citations

1124 | Identify-based Encryption from the Weil Pairing
- Boneh, Franklin
- 2001
(Show Context)
Citation Context ...g pairing-friendly elliptic curves. A diagram outlining this classification is given in Table 1.2. The designers of the first pairing-based protocols proposed the use of supersingular elliptic curves =-=[BF03]-=-. However, such curves are limited to embedding degree k = 2 for prime fields and k ≤ 6 in general [MOV93], so for higher embedding degrees we must turn to ordinary curves. There are a large number of... |

559 | Short signatures from the weil pairing
- Lynn, Shacham
- 2001
(Show Context)
Citation Context ... novel protocols have been suggested, including one-round three-way key exchange [Jou00], identity-based encryption [SOK00, BF03], identity-based signatures [CC03, Pat02], and short signature schemes =-=[BLS02b]-=-. Some of these protocols have already been deployed in the marketplace, and developers are eager to deploy many others. However, whereas standard elliptic curve cryptosystems such as ElGamal encrypti... |

527 |
Finite Fields
- Lidl, Niederreiter
- 1984
(Show Context)
Citation Context ...s We assume the reader is familiar with elliptic curves and finite fields; for a good exposition of the former, see Silverman’s book [Sil86], and for the latter, see the book of Lidl and Niederreiter =-=[LN97]-=-. We begin by fixing some notation related to elliptic curves. Let E be an elliptic curve defined over a field K; we may also use E/K (read “E over K”) to denote such a curve. We denote by E(K) the gr... |

292 | Efficient Algorithms for Pairing-Based Cryptosystems
- Barreto, Kim, et al.
- 2002
(Show Context)
Citation Context ...o be a point on E ′(Fqk/2), where E ′ is a quadratic twist of E. In fact we usually prefer k to be even as this facilitates the “denominator elimination” optimization of Barreto, Kim, Lynn, and Scott =-=[5]-=-. Barreto and Naehrig [8] extend this idea to curves with sextic twists and embedding degree k divisible by 6, showing that Q can be taken to be a point on E ′(Fqk/6), where E ′ is a sextic twist of E... |

261 |
A one round protocol for tripartite Diffie-Hellman
- Joux
(Show Context)
Citation Context ...ars in cryptographic schemes based on pairings on elliptic curves. In a flurry of recent research results, many new and novel protocols have been suggested, including one-round three-way key exchange =-=[Jou00]-=-, identity-based encryption [SOK00, BF03], identity-based signatures [CC03, Pat02], and short signature schemes [BLS02b]. Some of these protocols have already been deployed in the marketplace, and dev... |

189 |
A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves
- Frey, Rück
- 1994
(Show Context)
Citation Context ...er field K, with End( ˜ E) ⊗ Q ∼ = Q( √ −D). (In this case D will not be unique.) The original application of pairings to cryptography, due to Menezes, Okamoto, and Vanstone [MOV93] and Frey and Rück =-=[FR94]-=-, was the use of the Weil or Tate pairing (respectively) to reduce the discrete logarithm problem in the group of points on an elliptic curve to a discrete logarithm problem in the multiplicative grou... |

162 | Elliptic curves and primality proving
- Atkin, Morain
(Show Context)
Citation Context ...M curves (§4.2) prime fields. The CM algorithm takes as input a prime power q (which in our applications will always be prime) and an integer n, and constructs an elliptic curve over Fq with n points =-=[1]-=-. In Section 2 we will give a list of conditions for a given k such that if q and n satisfy these conditions, then the algorithm will terminate in a reasonable amount of time and the curve constructed... |

150 | M.: Pairing-Friendly Elliptic Curves of Prime Order
- Barreto, Naehrig
- 2005
(Show Context)
Citation Context ...iven in [5, 12]. • “Sporadic” families (§6.2): K is a (perhaps trivial) extension of a cyclotomic field, r is not a cyclotomic polynomial, and K contains √ −D for some small D. Constructions given in =-=[7, 38]-=-, new examples in §6.2. • Scott-Barreto families (§6.3): K is an extension of a cyclotomic field, and K contains no √ −D for any small D. Constructions given in [70]. 1.3. New constructions. In additi... |

145 | An identity-based signature from Gap Diffie-Hellman groups - Cha, Cheon |

130 | Efficient pairing computation on supersingular abelian varieties
- Barreto, Galbraith, et al.
(Show Context)
Citation Context ....1. Pairings and embedding degrees. The most common pairings used in applications are the Tate and Weil pairings on elliptic curves over finite fields; other proposed pairings include the Eta pairing =-=[4]-=-, the ate pairing [41], and their generalizations [40]. Given an elliptic curve E defined over a finite field Fq, all of these pairings take as inputs points on E that are defined over Fq or over an e... |

89 |
Fast evaluation of logarithms in fields of characteristic two
- Coppersmith
- 1984
(Show Context)
Citation Context ...ons for characteristic two fields or for prime fields exist. Note, however, that due to Coppersmith’s index calculus method for discrete logarithm computation in finite fields of small characteristic =-=[Cop84]-=-, the fields Fq must be larger when q = 2 s or 3 s than when q = p or p 2 . Remark 3.1. Supersingular curves are widely perceived as “weak” curves, and thus as not desirable for cryptographic applicat... |

77 | Pairing-based cryptography at high security levels
- Koblitz, Menezes
- 2005
(Show Context)
Citation Context ...= 2 s or 3 s than when q = p or p 2 . Remark 3.1. Supersingular curves are widely perceived as “weak” curves, and thus as not desirable for cryptographic applications. However, as Koblitz and Menezes =-=[KM05]-=- argue, “there is no known reason why a nonsupersingular curve with small embedding degree k would have any security advantage over a supersingular curve with the same embedding degree.” On the other ... |

75 |
The improbability that an elliptic curve has subexponential discrete log problem under the Menezes-Okamoto-Vanstone algorithm
- Balasubramanian, Koblitz
- 1998
(Show Context)
Citation Context ...ding degree of E needs to be small enough so that the pairing is easy to compute, but large enough so that the discrete logarithm in F × q k is computationally infeasible. Balasubramanian and Koblitz =-=[3]-=- showed that for a random elliptic curve E over a random field Fq and a prime r ≈ q, the probability that E has embedding degree less than log 2 q with respect to r is vanishingly small, and in genera... |

68 | Faster point multiplication on elliptic curves with effcient endomorphisms
- Gallant, Lambert, et al.
- 2001
(Show Context)
Citation Context ...30a2x + 56a3 (D = 2), E3 : y2 = x3 + a (D = 3) for any a ∈ F × q . Furthermore, curves with small CM discriminant have low-degree endomorphisms which may be used to speed up elliptic curve arithmetic =-=[GLV01]-=-, and curves with CM discriminant 1 or 3 have twists that can speed up pairing computation for certain embedding degrees k (Section 7.2). The table shows that in a large majority of cases, the optimal... |

51 | Constructing elliptic curves with prescribed embedding degrees
- Barreto, Lynn, et al.
- 2002
(Show Context)
Citation Context ...families and the corresponding type of number field. • Cyclotomic families (§6.1): K is a cyclotomic field, r is a cyclotomic polynomial, and K contains √ −D for some small D. Constructions appear in =-=[6, 17]-=-. • “Sporadic” families (§6.2): K is a (perhaps trivial) extension of a cyclotomic field, r is not a cyclotomic polynomial, and K contains √ −D for some small D. Constructions appear in [8, 46]; we gi... |

46 | Efficient arithmetic in finite field extensions with application in elliptic curve cryptography
- Bailey, Paar
(Show Context)
Citation Context ... the Generalized Riemann Hypothesis, the running time of the algorithm is O((log p) 3+ɛ ) for any ɛ > 0 [18, Theorem 3.8]. The requirement in Step (1) that −a be a nonsquare in F × q guarantees that E=-=[2]-=- ⊂ E(Fq), so E has embedding degree 2 with respect to the subgroup of order 2 [60, Lemma 2]. The condition D ≡ 3 (mod 4) in Step (3a) guarantees that the Hilbert class polynomial HD has a root in Fq ... |

46 | Elliptic curves suitable for pairing based cryptography. Des
- Brezing, Weng
- 2005
(Show Context)
Citation Context ...has been used by several different authors in their constructions, including Miyaji, Nakabayashi, and Takano [MNT01]; Barreto, Lynn, and Scott [BLS02a]; Scott and Barreto [SB06]; and Brezing and Weng =-=[BW05]-=-. Our definition of a family of pairing-friendly curves is a formalization of ideas implicit in these works. The definition provides a concise description of many existing constructions and gives us a... |

45 | On the Selection of Pairing-Friendly Groups
- Barreto, Lynn, et al.
- 2004
(Show Context)
Citation Context ..., but the degree of a twist must still divide 6.) In general, the points input into a pairing on a curve of embedding degree k take the form P ∈ E(Fq), Q ∈ E(F q k). However, Barreto, Lynn, and Scott =-=[6]-=- use the quadratic twist to show that when k is even, one can take Q to be a point on E ′ (F q k/2), where E ′ is a quadratic twist of E. Barreto and Naehrig [7] extend this idea to curves with sextic... |

42 | Unbelievable security. Matching AES security using public key systems
- Lenstra
- 2001
(Show Context)
Citation Context ...t yet fully understood, especially over extension fields. We outline in Table 1.1 our own view of the matter, distilled from material taken from various authoritative sources, in particular [GPS] and =-=[Len01]-=-. The listed bit sizes are those matching the security levels of the SKIPJACK, Triple-DES, AES-Small, AES-Medium, and AES-Large symmetric key encryption schemes. Table 1.1. Bit sizes of curve paramete... |

40 | Identity-based key agreement protocols from pairings
- Chen, Cheng, et al.
- 2007
(Show Context)
Citation Context ...es if “provable security” is desired. For a thorough discussion of security assumptions and a categorization of the different types of groups used in pairings, see the paper of Chen, Cheng, and Smart =-=[CCS]-=-. 7.6. The Ate pairing. While the Tate pairing is computed by iterating on the bits of the subgroup order r, the Ate pairing is computed by iterating on the bits of the trace t [HSV]. Thus if ω = log ... |

34 |
Separating Decision Diffie-Hellman from Computational DiffieHellman in cryptographic groups
- Joux, Nguyen
(Show Context)
Citation Context ...st not divide the group order in order to guarantee a nontrivial Tate pairing (see, e.g., [Jou00, JN03]), this condition is in fact not necessary for the Tate pairing to assume nontrivial values (cf. =-=[JN03]-=-). 6.4. More discriminants in cyclotomic families. The examples given by Brezing and Weng and others assume that the discriminant D is fixed in advance, so that all curves are constructed with the sam... |

33 | The complexity of class polynomial computation via floating point approximations
- Enge
(Show Context)
Citation Context ...s of points. The complexity of the method is roughly O(hD) 2+ǫ , where hD is the class number of Q( √ −D) [Eng, Brö]. Given current computational power, the method can construct curves when hD ≤ 10 5 =-=[Eng]-=-. Since hD grows roughly as O( √ D), we see that “sufficiently small” in condition (5) can be taken to be D < 10 10 . The equation in condition (5) is called the CM equation. If we use condition (3) t... |

32 | Ordinary abelian varieties having small embedding degree
- Galbraith, McKee, et al.
- 2005
(Show Context)
Citation Context ...bit, 256-bit or 307-bit prime-order (see, for example, [PSV]). 5.2. Extensions of the MNT strategy. The MNT strategy has been extended by Scott and Barreto [SB06], and by Galbraith, McKee and Valença =-=[GMV05]-=-, by allowing a small cofactor h. Starting out with (5.1), Scott and Barreto [SB06] substitute r = Φk(t−1)/d and t = x + 1, to obtain the equation (5.3) Dy 2 = 4h Φk(x) d − (x − 1)2 . As the right-han... |

32 |
Hardware Implementation of Finite Fields of Characteristic Three
- Page, Smart
(Show Context)
Citation Context ...d 3)). For the first curve, t = √ 3q if and only if 4 ∤ s − 1 and t = − √ 3q otherwise, while for the second curve t = √ 3q if and only if 4 | s − 1 and t = − √ 3q otherwise. Harrison, Page and Smart =-=[HPS02]-=- give specific choices of prime extension degrees s for which supersingular curves over F3s of almost-prime group order and embedding degree k = 6 exist. 4. Generating ordinary curves with arbitrary e... |

31 | Building curves with arbitrary small MOV degree over finite prime fields
- Dupont, Enge, et al.
(Show Context)
Citation Context ...ns in the literature that produce ordinary elliptic curves with small embedding degree that are not given in terms of families: the method of Cocks and Pinch [CP] and that of Dupont, Enge, and Morain =-=[DEM05]-=-. In Section 4 we describe these two methods and discuss their merits and drawbacks. The remaining constructions of ordinary elliptic curves with small embedding degree fall into the category of famil... |

30 | Speeding Up the Discrete Log Computation on Curves with Automorphisms
- Duursma, Gaudry, et al.
- 1999
(Show Context)
Citation Context ...; other constructions do better for some small k, k ≡ 4 (mod 6), and k divisible by 18. However, there are known methods to improve the efficiency of Pollard’s rho algorithm on curves with D = 1 or 3 =-=[DGM99]-=-. These methods lead to a decrease in security of only a few bits, but some users may take their existence as a warning that curves with small CM discriminant are in some sense special and should be a... |

28 | Constructing Pairing-Friendly Elliptic Curves with Embedding Degree 10. Algorithmic Number Theory
- Freeman
- 2006
(Show Context)
Citation Context ... transform the equation into a generalized Pell equation. Such equations often have an infinite number of solutions, in which case we obtain a family of curves in the sense of Definition 2.6. Freeman =-=[Fre06]-=- placed this result in a more general context by observing that if f(x) = 4q(x)−t(x) 2 is the right hand side of equation (5.1) and f(x) is square-free, deg f−1 2 ⌋. If then the equation defines a smo... |

28 | High security pairing-based cryptography revisited
- Granger, Page, et al.
- 2006
(Show Context)
Citation Context ...ve E in this family #E(Fq) = hr(x) where h is a constant-size cofactor. The most common pairing used in applications is the Tate pairing, which can in general be computed faster than the Weil pairing =-=[GPS06]-=-. Recently, a new pairing called the Ate pairing has been proposed [HSV], which in some cases can be computed even more quickly than the Tate pairing. The computation of the Ate pairing executes a loo... |

27 |
Pairings for cryptographers. Cryptology ePrint Archive, Report 2006/165
- Galbraith, Paterson, et al.
- 2006
(Show Context)
Citation Context ...acks is not yet fully understood, especially over extension fields. We outline in Table 1.1 our own view of the matter, distilled from material taken from various authoritative sources, in particular =-=[GPS]-=- and [Len01]. The listed bit sizes are those matching the security levels of the SKIPJACK, Triple-DES, AES-Small, AES-Medium, and AES-Large symmetric key encryption schemes. Table 1.1. Bit sizes of cu... |

17 | Constructing elliptic curves of prescribed order - Bröker - 2006 |

17 | Easy decision Diffie-Hellman groups - Galbraith, Rotger |

15 |
E.: Identity-based cryptosystems based on the Weil pairing. Unpublished manuscript
- Cocks, Pinch
- 2001
(Show Context)
Citation Context ...o families. There are also two constructions in the literature that produce ordinary elliptic curves with small embedding degree that are not given in terms of families: the method of Cocks and Pinch =-=[CP]-=- and that of Dupont, Enge, and Morain [DEM05]. In Section 4 we describe these two methods and discuss their merits and drawbacks. The remaining constructions of ordinary elliptic curves with small emb... |

14 | An introduction to pairing-based cryptography. Lectures notes - Menezes - 2005 |

9 | Silverman (eds.), Arithmetic geometry - Cornell, H - 1986 |

6 |
The Eta pairing revisited. Cryptology ePrint Archive Report 2006/110. http://eprint.iacr.org/2006/110
- Hess, Smart, et al.
(Show Context)
Citation Context ...mmon pairings used in applications are the Tate and Weil pairings on elliptic curves over finite fields; other proposed pairings include the Eta pairing [BGOS] and the recently discovered Ate pairing =-=[HSV]-=-. All of the proposed pairings take as input points on an elliptic curve E defined over a finite field Fq and give as output an element of an extension field F q k. For the system to be secure, the di... |

5 | On the existence of distortion maps on ordinary elliptic curves. Cryptology ePrint Archive Report 2006/128. http://eprint.iacr.org/2006/128
- Charles
(Show Context)
Citation Context ...utable endomorphism φ such that φ(P) ∈ 〈P 〉. A distortion map exists for a curve E with embedding degree k > 1 if and only if E is supersingular [Ver04, GR04]. For the k = 1 case, see Charles’ paper =-=[Cha]-=- for a thorough discussion, and Section 6.3 for an example. On ordinary elliptic curves there are other means of getting around the problem of the degeneracy of pairings on linearly dependent points, ... |

5 | Elliptic functions. Springer Graduate Texts - Lang - 1987 |

4 | Elliptic curves with low embedding degree
- Luca, Shparlinski
(Show Context)
Citation Context ...olutions (Xj, Yj) of the generalized Pell equation grow exponentially, so that only very few x-values work, and we obtain a sparse family in the sense of Definition 2.6. In fact, Luca and Shparlinski =-=[LS]-=- give a heuristic argument that for any upper bound D, there exists only a finite number of MNT curves with discriminant D ≤ D, with no bound on the field size! On the other hand, specific sample curv... |

3 | Effective polynomial families for generating more pairing-friendly elliptic curves. Cryptology ePrint Archive Report 2005/236
- Duan, Cui, et al.
(Show Context)
Citation Context ...d method for generating useful curves with embedding degree 3 and small ρ-value. Note that particularly fast F p 2 arithmetic results when optimal extension fields [BP01] are used; Duan, Cui and Chan =-=[DCC]-=- give sample families (with D = 3) and curves for this set-up. If q = 2 s , then curves with embedding degree 3 are of the form y 2 + γ j y = x 3 + α where j ∈ {1, 2}, γ is a non-cube in F × q , and e... |

1 |
The diophantine equation x2−Dy2
- Matthews
(Show Context)
Citation Context ... 1, by computing the simple continued fraction expansion of √ SD. Then find a so-called fundamental solution (X0, Y0) to X 2 − SDY 2 = M, for example using one of the techniques described by Matthews =-=[Mat00]-=- or Robertson [Rob]. Such a solution may or may not exist. If a solution exists, then for j ∈ Z define (Xj, Yj) through √ √ √ j (5.2) Xj + Yj SD = (U + V SD) · (X0 + Y0 SD).A TAXONOMY OF PAIRING-FRIE... |