Abstract
Elliptic curves with small embedding degree and large prime-order subgroup are key ingredients for implementing pairing-based cryptographic systems. Such “pairing-friendly” curves are rare and thus require specific constructions. In this paper we give a single coherent framework that encompasses all of the constructions of pairing-friendly elliptic curves currently existing in the literature. We also include new constructions of pairing-friendly curves that improve on the previously known constructions for certain embedding degrees. Finally, for all embedding degrees up to 50, we provide recommendations as to which pairing-friendly curves to choose to best satisfy a variety of performance and security requirements.
Article PDF
Similar content being viewed by others
Avoid common mistakes on your manuscript.
References
A.O.L. Atkin, F. Morain, Elliptic curves and primality proving. Math. Comput. 61, 29–68 (1993)
D. Bailey, C. Paar, Efficient arithmetic in finite field extensions with application in elliptic curve cryptography. J. Cryptol. 14, 153–176 (2001)
R. Balasubramanian, N. Koblitz, The improbability that an elliptic curve has subexponential discrete log problem under the Menezes–Okamoto–Vanstone algorithm. J. Cryptol. 11, 141–145 (1998)
P.S.L.M. Barreto, M. Naehrig, Pairing-friendly elliptic curves of prime order, in Selected Areas in Cryptography—SAC 2005. Lecture Notes in Computer Science, vol. 3897 (Springer, Berlin, 2006), pp. 319–331
P.S.L.M. Barreto, B. Lynn, M. Scott, Constructing elliptic curves with prescribed embedding degrees, in Security in Communication Networks—SCN 2002. Lecture Notes in Computer Science, vol. 2576 (Springer, Berlin, 2002), pp. 263–273
P.S.L.M. Barreto, H.Y. Kim, B. Lynn, M. Scott, Efficient algorithms for pairing-based cryptosystems, in Advances in Cryptology—Crypto 2002. Lecture Notes in Computer Science, vol. 2442 (Springer, Berlin, 2002), pp. 354–368
P.S.L.M. Barreto, B. Lynn, M. Scott, On the selection of pairing-friendly groups, in Selected Areas in Cryptography—SAC 2003. Lecture Notes in Computer Science, vol. 3006 (Springer, Berlin, 2003), pp. 17–25
P.S.L.M. Barreto, S. Galbraith, C. O’hEigeartaigh, M. Scott, Efficient pairing computation on supersingular abelian varieties. Des. Codes Cryptogr. 42, 239–271 (2007)
P. Bateman, R. Horn, A heuristic asymptotic formula concerning the distribution of prime numbers. Math. Comput. 16, 363–367 (1962)
N. Benger, M. Charlemagne, D. Freeman, On the security of pairing-friendly abelian varieties over non-prime fields, in Pairing-Based Cryptography—Pairing 2009, to appear. Preprint available at: http://eprint.iacr.org/2008/417/
I.F. Blake, G. Seroussi, N.P. Smart (eds.), Advances in Elliptic Curve Cryptography (Cambridge University Press, Cambridge, 2005)
D. Boneh, M. Franklin, Identity-based encryption from the Weil pairing, in Advances in Cryptology—Crypto 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 213–229. Full version: SIAM J. Comput. 32(3), 586–615 (2003)
D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing, in Advances in Cryptology—Asiacrypt 2001. Lecture Notes in Computer Science, vol. 2248 (Springer, Berlin, 2002), pp. 514–532. Full version: J. Cryptol. 17, 297–319 (2004)
D. Boneh, E.-J. Goh, K. Nissim, Evaluating 2-DNF formulas on ciphertexts, in Theory of Cryptography Conference—TCC 2005. Lecture Notes in Computer Science, vol. 3378 (Springer, Berlin, 2005), pp. 325–341
W. Bosma, J. Cannon, C. Playoust, The Magma algebra system. I. The user language. J. Symb. Comput. 24(3–4), 235–265 (1997)
A. Bostan, F. Morain, B. Salvy, É. Schost, Fast algorithms for computing isogenies between elliptic curves. Math. Comput. 77, 1755–1778 (2008)
F. Brezing, A. Weng, Elliptic curves suitable for pairing based cryptography. Des. Codes Cryptogr. 37, 133–141 (2005)
R. Bröker, Constructing elliptic curves of prescribed order. Ph.D. thesis, Dept. of Mathematics, Leiden University, 2006. Available at: http://www.math.leidenuniv.nl/~reinier/thesis.pdf
J.C. Cha, J.H. Cheon, An identity-based signature from gap Diffie–Hellman groups, in Public-Key Cryptography—PKC 2003. Lecture Notes in Computer Science, vol. 2567 (Springer, Berlin, 2003), pp. 18–30
D. Charles, On the existence of distortion maps on ordinary elliptic curves, Cryptology ePrint Archive Report 2006/128. Available at: http://eprint.iacr.org/2006/128/
L. Chen, Z. Cheng, N. Smart, Identity-based key agreement protocols from pairings. Int. J. Inf. Secur. 6, 213–241 (2007)
C. Cocks, R.G.E. Pinch, Identity-based cryptosystems based on the Weil pairing. Unpublished manuscript, 2001
A. Comuta, M. Kawazoe, T. Takahashi, Pairing-friendly elliptic curves with small security loss by Cheon’s algorithm, in Information Security and Cryptography—ICISC 2007. Lecture Notes in Computer Science, vol. 4817 (Springer, Berlin, 2007), pp. 297–308
D. Coppersmith, Fast evaluation of logarithms in fields of characteristic two. IEEE Trans. Inf. Theory 30, 587–594 (1984)
G. Cornell, J. Silverman (eds.), Arithmetic Geometry (Springer, New York, 1986)
P. Duan, S. Cui, C.W. Chan, Effective polynomial families for generating more pairing-friendly elliptic curves, Cryptology ePrint Archive Report 2005/236. Available at: http://eprint.iacr.org/2005/236/
R. Dupont, A. Enge, F. Morain, Building curves with arbitrary small MOV degree over finite prime fields. J. Cryptol. 18, 79–89 (2005)
I. Duursma, P. Gaudry, F. Morain, Speeding up the discrete log computation on curves with automorphisms, in Advances in Cryptology—Asiacrypt 1999. Lecture Notes in Computer Science, vol. 1716 (Springer, Berlin, 1999), pp. 103–121
A. Enge, The complexity of class polynomial computation via floating point approximations. Math. Comput. 78, 1089–1107 (2009)
D. Freeman, Constructing pairing-friendly elliptic curves with embedding degree 10, in Algorithmic Number Theory Symposium—ANTS-VII. Lecture Notes in Computer Science, vol. 4076 (Springer, Berlin, 2006), pp. 452–465
D. Freeman, Constructing pairing-friendly genus 2 curves with ordinary Jacobians, in Pairing-Based Cryptography—Pairing 2007. Lecture Notes in Computer Science, vol. 4575 (Springer, Berlin, 2007), pp. 152–176
D. Freeman, A generalized Brezing–Weng method for constructing pairing-friendly ordinary abelian varieties, in Pairing-Based Cryptography—Pairing 2008. Lecture Notes in Computer Science, vol. 5209 (Springer, Berlin, 2008), pp. 146–163
D. Freeman, P. Stevenhagen, M. Streng, Abelian varieties with prescribed embedding degree, in Algorithmic Number Theory Symposium—ANTS-VIII. Lecture Notes in Computer Science, vol. 5011 (Springer, Berlin, 2008), pp. 60–73
G. Frey, H. Rück, A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Math. Comput. 62, 865–874 (1994)
S. Galbraith, V. Rotger, Easy decision Diffie–Hellman groups. LMS J. Comput. Math. 7, 201–218 (2004)
S. Galbraith, J. McKee, P. Valença, Ordinary abelian varieties having small embedding degree. Finite Fields Appl. 13, 800–814 (2007)
S. Galbraith, K. Paterson, N. Smart, Pairings for cryptographers. Discrete Appl. Math. 15, 3113–3121 (2008)
R. Gallant, R.J. Lambert, S.A. Vanstone, Faster point multiplication on elliptic curves with efficient endomorphisms, in Advances in Cryptology—Crypto 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 190–200
R. Granger, D. Page, N. Smart, High security pairing-based cryptography revisited, in Algorithmic Number Theory Symposium ANTS-VII. Lecture Notes in Computer Science, vol. 4076 (Springer, Berlin, 2006), pp. 480–494
K. Harrison, D. Page, N.P. Smart, Software implementation of finite fields of characteristic three, for use in pairing-based cryptosystems. LMS J. Comput. Math. 5, 181–193 (2002)
F. Hess, Pairing lattices, in Pairing-Based Cryptography—Pairing 2008. Lecture Notes in Computer Science, vol. 5209 (Springer, Berlin, 2008), pp. 18–38
F. Hess, N. Smart, F. Vercauteren, The Eta pairing revisited. IEEE Trans. Inf. Theory 52, 4595–4602 (2006)
L. Hitt, On the minimal embedding field, in Pairing-Based Cryptography—Pairing 2007. Lecture Notes in Computer Science, vol. 4575 (Springer, Berlin, 2007), pp. 294–301
A. Joux, A one round protocol for tripartite Diffie–Hellman, in Algorithmic Number Theory Symposium—ANTS-IV. Lecture Notes in Computer Science, vol. 1838 (Springer, Berlin, 2000), pp. 385–393. Full version: J. Cryptol. 17, 263–276 (2004)
A. Joux, K. Nguyen, Separating decision Diffie–Hellman from computational Diffie–Hellman in cryptographic groups. J. Cryptol. 16, 239–247 (2003)
E. Kachisa, Constructing Brezing–Weng pairing friendly elliptic curves using elements in the cyclotomic field. M.Sc. dissertation, Mzuzu University, 2007
E. Kachisa, E. Schaefer, M. Scott, Constructing Brezing–Weng pairing friendly elliptic curves using elements in the cyclotomic field, in Pairing-Based Cryptography—Pairing 2008. Lecture Notes in Computer Science, vol. 5209 (Springer, Berlin, 2008), pp. 126–135
K. Karabina, On prime-order elliptic curves with embedding degrees 3, 4 and 6. M.Math. thesis, Univ. of Waterloo, Dept. of Combinatorics and Optimization, 2006
K. Karabina, E. Teske, On prime-order elliptic curves with embedding degrees 3, 4 and 6, in Algorithmic Number Theory Symposium—ANTS-VIII. Lecture Notes in Computer Science, vol. 5011 (Springer, Berlin, 2008), pp. 102–117
N. Koblitz, Good and bad uses of elliptic curves in cryptography. Mosc. Math. J. 2, 693–715 (2002) 805–806
N. Koblitz, A. Menezes, Pairing-based cryptography at high security levels, in Proceedings of Cryptography and Coding: 10th IMA International Conference. Lecture Notes in Computer Science, vol. 3796 (Springer, Berlin, 2005), pp. 13–36
S. Lang, Elliptic Functions (Springer, Berlin, 1987)
S. Lang, Algebra, revised 3rd edn. (Springer, Berlin, 2002)
A.K. Lenstra, Unbelievable security: Matching AES security using public key systems, in Advances in Cryptology—Asiacrypt 2001. Lecture Notes in Computer Science, vol. 2248 (Springer, Berlin, 2001), pp. 67–86
R. Lidl, H. Niederreiter, Finite Fields (Cambridge University Press, Cambridge, 1997)
F. Luca, I. Shparlinski, Elliptic curves with low embedding degree. J. Cryptol. 19, 553–562 (2006)
F. Luca, D. Mireles, I. Shparlinski, MOV attack in various subgroups on elliptic curves. Ill. J. Math. 48, 1041–1052 (2004)
K. Matthews, The Diophantine equation x 2−Dy 2=N, D>0. Expo. Math. 18, 323–331 (2000)
A. Menezes, Elliptic Curve Public Key Cryptosystems (Kluwer Academic, Dordrecht, 1993)
A. Menezes, An introduction to pairing-based cryptography. Notes from lectures given in Santander, Spain, 2005. Available at: http://www.cacr.math.uwaterloo.ca/~ajmeneze/publications/pairings.pdf
A. Menezes, S. Vanstone, Isomorphism classes of elliptic curves over finite fields of characteristic 2. Util. Math. 38, 135–153 (1990)
A. Menezes, T. Okamoto, S. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory 39, 1639–1646 (1993)
V. Miller, The Weil pairing, and its efficient calculation. J. Cryptol. 17, 235–261 (2004)
A. Miyaji, M. Nakabayashi, S. Takano, New explicit conditions of elliptic curve traces for FR-reduction. IEICE Trans. Fundam. E84-A(5), 1234–1243 (2001)
F. Morain, Classes d’isomorphismes des courbes elliptiques supersingulières en caracteristique ≥3. Util. Math. 52, 241–253 (1997)
A. Murphy, N. Fitzpatrick, Elliptic curves for pairing applications, Cryptology ePrint Archive Report 2005/302. Available at: http://eprint.iacr.org/2005/302
M. Naehrig, P.S.L.M. Barreto, P. Schwabe, On compressible pairings and their computation, in Progress in Cryptology—Africacrypt 2008. Lecture Notes in Computer Science, vol. 5023 (Springer, Berlin, 2008), pp. 371–388
A. Odlyzko, Discrete logarithms in finite fields and their cryptographic significance, in Advances in Cryptology—Eurocrypt 1984. Lecture Notes in Computer Science, vol. 209 (Springer, Berlin, 1985), pp. 224–314
D. Page, N. Smart, F. Vercauteren, A comparison of MNT curves and supersingular curves. Appl. Algebra Eng., Commun. Comput. 17, 379–392 (2006)
K. Paterson, ID-based signatures from pairings on elliptic curves. Electron. Lett. 38, 1025–1026 (2002)
S. Pohlig, M. Hellman, An improved algorithm for computing discrete logarithms over GF(p) and its cryptographic significance. IEEE Trans. Inf. Theory 24, 106–110 (1978)
J. Pollard, Monte Carlo methods for index computation (mod p). Math. Comput. 32, 918–924 (1978)
J. Robertson, Solving the generalized Pell equation x 2−Dy 2=N. Unpublished manuscript, 2004. Available at: http://hometown.aol.com/jpr2718/pell.pdf
K. Rubin, A. Silverberg, Finding composite order ordinary elliptic curves using the Cocks–Pinch method, in preparation
R. Sakai, K. Ohgishi, M. Kasahara, Cryptosystems based on pairings, in 2000 Symposium on Cryptography and Information Security—SCIS 2000, Okinawa, Japan, 2000
E. Schaefer, A new proof for the non-degeneracy of the Frey–Rück pairing and a connection to isogenies over the base field, in Computational Aspects of Algebraic Curves. Lecture Notes Ser. Comput., vol. 13 (World Scientific, Singapore, 2005), pp. 1–12
O. Schirokauer, The number field sieve for integers of low weight. Math. Comput. to appear. Preprint available at: http://eprint.iacr.org/2006/107/
M. Scott, Computing the Tate pairing, in Topics in Cryptology—CT-RSA 2005. Lecture Notes in Computer Science, vol. 3376 (Springer, Berlin, 2005), pp. 293–304
M. Scott, Implementing cryptographic pairings, in Pairing-Based Cryptography—Pairing 2007. Lecture Notes in Computer Science, vol. 4575 (Springer, Berlin, 2007), pp. 177–196
M. Scott, P.S.L.M. Barreto, Compressed pairings, in Advances in Cryptology—Crypto 2004. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 140–156
M. Scott, P.S.L.M. Barreto, Generating more MNT elliptic curves. Des. Codes Cryptogr. 38, 209–217 (2006)
J. Silverman, The Arithmetic of Elliptic Curves (Springer, Berlin, 1986)
A. Sutherland, Computing Hilbert class polynomials with the Chinese remainder theorem. Preprint, 2009. Available at http://arxiv.org/abs/0903.2785
S. Tanaka, K. Nakamula, Constructing pairing-friendly elliptic curves using factorization of cyclotomic polynomials, in Pairing-Based Cryptography—Pairing 2008. Lecture Notes in Computer Science, vol. 5209 (Springer, Berlin, 2008), pp. 136–145
J. Tate, Endomorphisms of abelian varieties over finite fields. Invent. Math. 2, 134–144 (1966)
P.C. van Oorschot, M.J. Wiener, Parallel collision search with cryptanalytic applications. J. Cryptol. 12, 1–18 (1999)
E. Verheul, Evidence that XTR is more secure than supersingular elliptic curve cryptosystems. J. Cryptol. 17, 277–296 (2004)
W. Waterhouse, Abelian varieties over finite fields. Ann. Sci. École Norm. Sup. (IV) 2, 521–560 (1969)
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Dan Boneh
Rights and permissions
Open Access This is an open access article distributed under the terms of the Creative Commons Attribution Noncommercial License (https://creativecommons.org/licenses/by-nc/2.0), which permits any noncommercial use, distribution, and reproduction in any medium, provided the original author(s) and source are credited.
About this article
Cite this article
Freeman, D., Scott, M. & Teske, E. A Taxonomy of Pairing-Friendly Elliptic Curves. J Cryptol 23, 224–280 (2010). https://doi.org/10.1007/s00145-009-9048-z
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-009-9048-z