IEEE P1363.3 Submission: Pairing-Friendly Elliptic Curves of Prime Order with Embedding Degree 12 Paulo S. L. M. Barreto1 and Michael Naehrig2 1
Escola Polit´ecnica, Universidade de S˜ ao Paulo. Av. Prof. Luciano Gualberto, tr. 3, n. 158. BR 05508-900, S˜ ao Paulo(SP), Brazil.
[email protected] 2 Lehrstuhl f¨ ur Theoretische Informationstechnik, Rheinisch-Westf¨ alische Technische Hochschule Aachen. Sommerfeldstr. 24. D-52074 Aachen, Germany.
[email protected]
In this submission we propose an algorithm to construct elliptic curves of prime order with embedding degree k = 12 [2]. The constructed curves belong to a family of curves whose parameters are given by polynomials over the integers. Each curve E in the family is defined over a prime field Fp and its group of rational points E(Fp ) has prime order and embedding degree k = 12. The curves can be constructed via a simple algorithm which uses a special case of the complex multiplication method. We further point out some properties which may be useful to efficiently implement the curves for pairing-based cryptographic protocols. Elliptic curves which shall be used for implementations of pairing-based schemes need to have small embedding degree. Supersingular elliptic curves fulfill this property since in this case the embedding degree is shown to be not larger than 6. To achieve higher levels of security while keeping elliptic curve parameters as small as possible it is necessary to find elliptic curves with a small embedding degree which is larger than 6.
1
Curve Construction
The proposed family of curves is given via a parametrisation of the trace of Frobenius t in the following way. Let Φk (X) be the k-th cyclotomic polynomial. If E is an elliptic curve over Fp for a prime p the number of Fp -rational points n satisfies n = p + 1 − t. Therefore p ≡ t − 1 mod n. So we have n | Φk (t − 1) if and only if n | Φk (p). Now E(Fp ) has embedding degree at most k if n | Φk (t − 1) [1]. Using the parametrization t(u) = 6u2 + 1 from [6] and plugging that into Φ12 we get a factorisation Φ12 (t(u) − 1) = n(u)n(−u) into the product of two irreducible polynomials given by n(u) = 36u4 + 36u3 + 18u2 + 6u + 1. This leads to the following parametrisations:
t(u) = 6u2 + 1,
(1)
4
3
2
(2)
4
3
2
(3)
t(u)2 − 4p(u) = −3(6u2 + 4u + 1)2 .
(4)
n(u) = 36u + 36u + 18u + 6u + 1, p(u) = 36u + 36u + 24u + 6u + 1,
A suitable curve can be found by finding a value u ∈ Z such that n = n(u) and p = p(u) given by the above formulae (2) and (3) are both prime. Then there exists an elliptic curve E over Fp with the group of Fp -rational points having n elements and embedding degree k = 12. By equation (4) all such curves have complex multiplication with discriminant D = −3 and thus can be constructed via the complex multiplication method [10]. Since all curves have j-invariant equal to 0 the construction always yields curves given by an equation E : y 2 = x3 + b.
(5)
Algorithm 1 shows how the CM method simplifies in our setting. The algorithm takes as input value the desired bitlength of the primes p and n, and returns instances of these primes, plus a parameter b ∈ Fp such that the curve E(Fp ) : y 2 = x3 + b has order n over the field Fp , and the coordinate y of a sample generator G = (1, y). See [2] for details.
2
Sextic Twists
Consider a curve E constructed as above now to be defined over Fp2 . Curves of the form (5) with p ≡ 1 mod 6 have sextic twists, i. e. there exists a curve E 0 which is isomorphic to E over a field extension of degree 6 where 6 is the minimal degree with this property [7]. Choose ξ ∈ Fp2 to be neither a square nor a cube in Fp2 . Then the curve E 0 : y 2 = x3 + b/ξ
(6)
is a sextic twist of E with regard to the base field Fp2 . This means there is an isomorphism defined over Fp12 ψ : E 0 → E, (x, y) 7→ (z 2 x, z 3 y),
(7)
where z ∈ Fp12 such that z 6 = ξ. We use the curve E 0 to compress points in E(Fp12 ) which will be the arguments for the Tate pairing e. Therefore we need to select ξ such that the order of E 0 (Fp2 ) is divisible by n. From [7] we see that there are two possible group orders for sextic twists which are p2 + 1 − (±3tV + t2 − 2p)/2.
(8)
The positive sign yields the right group order n(p − 1 + t). One must check if the chosen ξ gives this order for the twist. 2
Algorithm 1 Constructing a curve of prime order with k = 12 Input: the approximate desired size m of the curve order (in bits). Output: parameters p, n, b, y such that the curve y 2 = x3 + b has order n over Fp and the point G = (1, y) is a generator of the curve. 1: Let P (x) ≡ 36x4 + 36x3 + 24x2 + 6x + 1 2: Compute the smallest x ≈ 2m/4 such that dlog2 P (−x)e = m. 3: loop 4: t ← 6x2 + 1 5: p ← P (−x), n ← p + 1 − t 6: if p and n are prime then 7: exit loop 8: end if 9: p ← P (x), n ← p + 1 − t 10: if p and n are prime then 11: exit loop 12: end if 13: x ← x + 1. 14: end loop 15: b ← 0 16: repeat 17: repeat 18: b←b+1 19: until b + 1 is a quadratic residue mod p 20: Compute y such that y 2 = b + 1 mod p 21: G ← (1, y) on the curve E : y 2 = x3 + b 22: until nG = ∞ 23: return p, n, b, y.
3
3
Point Compression
For the second argument of the Tate pairing we use the points in the p-eigenspace of the Frobenius endomorphism in the group E(Fp12 ). These points are not defined over Fp . But we can compress such points when representing them by points on the sextic twist E 0 (Fp2 ). Let Q ∈ E(Fp12 ) be a point of order n not defined over Fp . Then the point Q0 = ψ −1 (Q) ∈ E 0 (Fp2 )[n]. We may thus use points on the twist defined over Fp2 for non-pairing operations and only map to E(Fp12 ) when actually computing pairings. Using standard point compression techniques, for example keeping only the x-coordinate of a point and one bit to decide which of the at most two possible y-coordinates is the right one, allows us to represent the pairing arguments by at most one Fp2 -element plus one bit.
4
Pairing Compression
It is possible to compress points on the sextic twist E 0 to only one Fp2 -value. From that we can compute a compressed pairing value in Fp4 which can be exponentiated implicitly. The notion of compressed pairings was introduced in [11]. The idea is to store only the y-coordinate of a point Q0 on the sextic twist 0 E and to discard the x-coordinate. For all possible points Q0 with a given y-coordinate the compressed pairing value trFp4 (e(P, ψ(Q0 ))) is the same. In this way we achieve a twofold point compression along with a threefold pairing compression. Using the techniques for implicit trace exponentiation from the XTR system [8] gives us the opportunity to compute compressed values of powers of known pairing values without going back to Fp12 -arithmetic. The prime p in the XTR-system only needs to be replaced by p2 .
5 5.1
Related Constructions MNT curves and generalisations
In their pioneering work [9] Miyaji, Nakabayashi and Takano describe an algorithm to construct ordinary elliptic curves of prime order which have embedding degree 3, 4 and 6 (so called MNT curves). This work for the first time showed how to find non-supersingular curves with small embedding degree. But the embedding degree is still too small to achieve higher security levels and the construction does not allow for a generalization to larger embedding degrees. Some work has been done to generalize the MNT construction. Barreto, Lynn and Scott [1], Brezing and Weng [3] as well as Dupont, Enge and Morain [4] give constructions for larger embedding degrees. But all curves in their constructions have composite group orders which is a disadvantage since elliptic curve parameters have to be increased to match the demanded security levels. 4
Galbraith, McKee and Valen¸ca [6] generalize the MNT parametrization to hyperelliptic curves of genus 2 and are able to parametrize families of cuch curves with embedding degrees 5, 10 and 12. Unfortunately no construction method is given to obtain the curve equations. 5.2
Freeman curves
Using techniques and ideas similar to those described in this submission Freeman shows in [5] how to construct elliptic curves of prime order which have embedding degree k = 10.
References 1. P. S. L. M. Barreto, B. Lynn, and M. Scott. Constructing elliptic curves with prescribed embedding degrees. In Security in Communication Networks – SCN’2002, volume 2576 of Lecture Notes in Computer Science, pages 263–273. SpringerVerlag, 2002. 2. P. S. L. M. Barreto and M. Naehrig. Pairing-friendly elliptic curves of prime order. In Selected Areas in Cryptography – SAC’2005, volume 3897 of Lecture Notes in Computer Science, pages 319–331. Springer-Verlag, 2006. 3. F. Brezing and A. Weng. Elliptic curves suitable for pairing based cryptography. Cryptology ePrint Archive, Report 2003/143, 2003. Available from http://eprint.iacr.org/2003/143. 4. R. Dupont, A. Enge, and F. Morain. Building curves with arbitrary small MOV degree over finite prime fields. Journal of Cryptology, 18(2):79–89, 2005. 5. D. Freeman. Constructing pairing-friendly elliptic curves with embedding degree 10. In Algorithmic Number Theory Symposium – ANTS-VII, volume 4076 of Lecture Notes in Computer Science, pages 452–465. Springer-Verlag, 2006. 6. S. Galbraith, J. McKee, and P. Valen¸ca. Ordinary abelian varieties having small embedding degree. Cryptology ePrint Archive, Report 2004/365, 2004. Available from http://eprint.iacr.org/2004/365. 7. F. Hess, N.P. Smart, and F. Vercauteren. The eta pairing revisited. Cryptology ePrint Archive, Report 2006/110, 2006. Available from http://eprint.iacr.org/ 2006/110. 8. A. K. Lenstra and E. R. Verheul. The XTR public key system. In Advances in Cryptology – Crypto’2000, volume 1880 of Lecture Notes in Computer Science, pages 1–19. Springer-Verlag, 2000. 9. A. Miyaji, M. Nakabayashi, and S. Takano. New explicit conditions of elliptic curve traces for FR-reduction. IEICE Transactions on Fundamentals, E84-A(5):1234– 1243, 2001. 10. F. Morain. Building cyclic elliptic curves modulo large primes. In Advances in Cryptology – Eurocrypt’1991, volume 547 of Lecture Notes in Computer Science, pages 328–336. Springer-Verlag, 1991. 11. M. Scott and P. S. L. M. Barreto. Compressed pairings. In Advances in Cryptology – Crypto’2004, volume 3152 of Lecture Notes in Computer Science, pages 140–156, Santa Barbara, USA, 2004. Springer-Verlag.
5
