## Ordinary abelian varieties having small embedding degree (2004)

Venue: | IN PROC. WORKSHOP ON MATHEMATICAL PROBLEMS AND TECHNIQUES IN CRYPTOLOGY |

Citations: | 33 - 1 self |

### BibTeX

@INPROCEEDINGS{Galbraith04ordinaryabelian,

author = {Steven D. Galbraith and J. McKee and P. Valença},

title = {Ordinary abelian varieties having small embedding degree },

booktitle = {IN PROC. WORKSHOP ON MATHEMATICAL PROBLEMS AND TECHNIQUES IN CRYPTOLOGY},

year = {2004},

pages = {29--45},

publisher = {}

}

### OpenURL

### Abstract

Miyaji, Nakabayashi and Takano (MNT) gave families of group orders of ordinary elliptic curves with embedding degree suitable for pairing applications. In this paper we generalise their results by giving families corresponding to non-prime group orders. We also consider the case of ordinary abelian varieties of dimension 2. We give families of group orders with embedding degrees 5, 10 and 12.

### Citations

905 | The arithmetic of elliptic curves - Silverman - 1986 |

717 |
The MAGMA algebra system I: the user language
- Bosma, Cannon, et al.
- 1997
(Show Context)
Citation Context ... each case. When this is done, q and t are expressed as polynomials in Z[l], and these are the (q, t) pairs presented in the tables below. Using similar analysis for cofactors up to 5, and some MAGMA =-=[5]-=- code, we get the following theorem. 5sTheorem 1. The only quadratic families of elliptic curves that have embedding degree 3, 4, or 6, and cofactor h in the range 2 ≤ h ≤ 5 are those given by tables ... |

259 |
Advanced topics in the arithmetic of elliptic curves
- Silverman
- 1994
(Show Context)
Citation Context ...lex Multiplication works well. Selecting one of these pairs (q, t), it is possible to construct an elliptic curve E/Fq with q + 1 − t points by using Complex Multiplication (see, for example, [4] and =-=[18]-=-). We outline the preparatory details here. Associated with an elliptic curve is the quantity t 2 − 4q which is negative. Write −Dy 2 = t 2 − 4q (2) where D > 0 is either of the form 4d or d with d sq... |

207 |
A remark concerning m-divisibility and the discrete logarithm problem in the divisor class group of curves
- Frey, Ruck
- 1976
(Show Context)
Citation Context ...cases. The parameters for the ordinary case are 7.3 k = 5 n = q 2 ± � 2q(q + 1) + q + 1 , a1 = ± � 2q + 1 , a2 = 2q + 1 . The relevant equations for A, B, C, D are now and 2AD + 2BC − 2BD − C 2 = 0 , =-=(8)-=- Eliminating D gives the elliptic curve defined by 2AC + B 2 − C 2 − 2BD = 0 . (9) 2A 2 C + AB 2 − 2ABC − AC 2 − B 3 + 2B 2 C = 0 . First treat the case A=0. If also B = 0, then (A : B : C : D) = (0 :... |

179 |
Elliptic Curves in Cryptography
- Blake, Seroussi, et al.
- 1999
(Show Context)
Citation Context ...via Complex Multiplication works well. Selecting one of these pairs (q, t), it is possible to construct an elliptic curve E/Fq with q + 1 − t points by using Complex Multiplication (see, for example, =-=[4]-=- and [18]). We outline the preparatory details here. Associated with an elliptic curve is the quantity t 2 − 4q which is negative. Write −Dy 2 = t 2 − 4q (2) where D > 0 is either of the form 4d or d ... |

153 |
Implementing the Tate pairing
- Galbraith, Harrison, et al.
- 2002
(Show Context)
Citation Context ...ar curves. In characteristic two there are curves which allow k = 4, while in characteristic three there are curves which allow k = 6. Efficient implementations using these curves have been developed =-=[2, 7, 10]-=-. There are, however, some unfortunate problems with this approach. First, there are only a small number of suitable group orders available. Second, due to Coppersmith’s index calculus method for disc... |

105 | New explicit condition of elliptic curve trace for FRreduction
- Miyaji, Nakabayashi, et al.
(Show Context)
Citation Context ...used in the case of large prime characteristic. Hence it is attractive to use ordinary (i.e., non-supersingular) curves. This is made possible by the important paper of Miyaji, Nakabayashi and Takano =-=[12]-=-. They give families of group orders of ordinary curves with embedding degrees 3, 4 and 6. In this paper we extend the methods of Miyaji, Nakabayashi and Takano (MNT) in two directions. First, we obta... |

92 | Supersingular curves in cryptography
- Galbraith
- 2001
(Show Context)
Citation Context ...explicit families. The second direction taken in the paper is to consider abelian varieties of dimension two. Supersingular abelian varieties have already been proposed for pairing-based cryptography =-=[9, 13]-=-. For example, one can obtain embedding degree 12 from a supersingular abelian surface in characteristic two. We give heuristics which suggest that suitable ordinary abelian surfaces exist. We describ... |

91 | Tate pairing implementation for hyperelliptic curves y2 = xp x + d
- IM, Lee
- 2003
(Show Context)
Citation Context ...ar curves. In characteristic two there are curves which allow k = 4, while in characteristic three there are curves which allow k = 6. Efficient implementations using these curves have been developed =-=[2, 7, 10]-=-. There are, however, some unfortunate problems with this approach. First, there are only a small number of suitable group orders available. Second, due to Coppersmith’s index calculus method for disc... |

82 |
The improbability that an elliptic curve has subexponential discrete log problem under the MOV algorithm
- Balasubramanian, Koblitz
- 1998
(Show Context)
Citation Context ...o the modified families in table 1. Of course one expects only θ( √ M/ log M) elements of S ′ for which q is a prime power. Some related work to the above is the result of Balasubramanian and Koblitz =-=[1]-=- which implies that there are O( √ M(log M) 9 (log log M) 2 ) isogeny classes of elliptic curves over Fp with M/2 ≤ p ≤ M, #E(Fp) = r prime, and r | (p k − 1) for some k ≤ (log p) 2 . 8s4.2 Heuristics... |

53 | Efficient implementation of pairing-based cryptosystems
- Barreto, Lynn, et al.
(Show Context)
Citation Context ...ar curves. In characteristic two there are curves which allow k = 4, while in characteristic three there are curves which allow k = 6. Efficient implementations using these curves have been developed =-=[2, 7, 10]-=-. There are, however, some unfortunate problems with this approach. First, there are only a small number of suitable group orders available. Second, due to Coppersmith’s index calculus method for disc... |

48 | On the selection of pairing-friendly groups
- Barreto, Lynn, et al.
(Show Context)
Citation Context ... generalise the MNT argument to allow for cofactors, indicating how all curves with prescribed cofactor and embedding degree may be found. Other generalisations of the MNT approach have been given in =-=[3, 6]-=-. 3.1 The details in the case k = 6 We require λr = Φ6(q) = q 2 −q+1. Applying the same idea as in [12], we observe that n(h(q + 1 + t) − λ) = h(q + 1 − t)(q + 1 + t) − hrλ = h(3q − t 2 ). (1) Dividin... |

48 | Elliptic curves suitable for pairing based cryptography. Des
- Brezing, Weng
- 2005
(Show Context)
Citation Context ... generalise the MNT argument to allow for cofactors, indicating how all curves with prescribed cofactor and embedding degree may be found. Other generalisations of the MNT approach have been given in =-=[3, 6]-=-. 3.1 The details in the case k = 6 We require λr = Φ6(q) = q 2 −q+1. Applying the same idea as in [12], we observe that n(h(q + 1 + t) − λ) = h(q + 1 − t)(q + 1 + t) − hrλ = h(3q − t 2 ). (1) Dividin... |

48 | Supersingular abelian varieties in cryptology
- Rubin, Silverberg
(Show Context)
Citation Context ...explicit families. The second direction taken in the paper is to consider abelian varieties of dimension two. Supersingular abelian varieties have already been proposed for pairing-based cryptography =-=[9, 13]-=-. For example, one can obtain embedding degree 12 from a supersingular abelian surface in characteristic two. We give heuristics which suggest that suitable ordinary abelian surfaces exist. We describ... |

15 |
Abelian surfaces and Jacobian varieties over finite fields
- Rück
- 1990
(Show Context)
Citation Context ...#A(Fq) = P (1) = q 2 + a1q +a2 +a1 +1 and it is known that ( √ q −1) 4 < n < ( √ q +1) 4 . If A is ordinary, then we get more precise bounds |a1| < 4 √ q and −2q+2|a1| √ q < a2 < a 2 1/4+2q (see Rück =-=[14]-=-). Since n ≈ q 2 we generally choose k so that ϕ(k) ≥ 4. Motivated by the elliptic curve case, we define S = {(q, n) : 1 ≤ q ≤ M, |n − q 2 | < 4q √ q}. The volume of S is about 3M 5/2 . Similarly, def... |

11 |
Generating more MNT elliptic curves,” Cryptology ePrint Archive, Report 2004/058
- Scott, Barreto
- 2004
(Show Context)
Citation Context ... of Miyaji, Nakabayashi and Takano (MNT) in two directions. First, we obtain a larger class of families by incorporating cofactors into the analysis. This idea has also been used by Scott and Barreto =-=[15]-=-, although they do not give explicit families. The second direction taken in the paper is to consider abelian varieties of dimension two. Supersingular abelian varieties have already been proposed for... |

1 |
personal communication
- Scourfield
(Show Context)
Citation Context ...t us make the reasonable assumption that we expect n | Φk(q) with probability θ(1/n). (The number of solutions to Φk(x) ≡ 0 (mod n) behaves erratically as n varies, but some recent work of Scourfield =-=[16]-=- shows that it is on average constant.) Now, approximating n ≈ M we deduce that the number of points in S ′ is roughly θ(1/M) times the number of points in Z 2 ∩ S. This heuristic is supported perfect... |