Pairing-friendly elliptic curves of prime order

P.S.L.M. Barreto; M. Naehrig

doi:10.1007/11693383_22

Pairing-friendly elliptic curves of prime order

P.S.L.M. Barreto, M. Naehrig

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

472 Citations (Scopus)

Abstract

Previously known techniques to construct pairing-friendly curves of prime or near-prime order are restricted to embedding degree k \leqslant 6 Unknown control sequence '\leqslant'. More general methods produce curves over \mathbb FpFp where the bit length of p is often twice as large as that of the order r of the subgroup with embedding degree k; the best published results achieve ¿ = log(p)/log(r) ~ 5/4. In this paper we make the first step towards surpassing these limitations by describing a method to construct elliptic curves of prime order and embedding degree k = 12. The new curves lead to very efficient implementation: non-pairing operations need no more than \mathbb Fp4Fp4 arithmetic, and pairing values can be compressed to one third of their length in a way compatible with point reduction techniques. We also discuss the role of large CM discriminants D to minimize ¿; in particular, for embedding degree k = 2q where q is prime we show that the ability to handle log(D)/log(r) ~ (q–3)/(q–1) enables building curves with ¿ ~ q/(q–1).

Original language	English
Title of host publication	Selected Areas in Cryptography (12th International Workshop, SAC 2005, Kingston ON, Canada, August 11-12, 2005, Revised Selected Papers)
Editors	B. Preneel, S. Tavares
Place of Publication	Berlin
Publisher	Springer
Pages	319-331
ISBN (Print)	978-3-540-33108-7
DOIs	https://doi.org/10.1007/11693383_22
Publication status	Published - 2006

Publication series

Name	Lecture Notes in Computer Science
Volume	3897
ISSN (Print)	0302-9743

Access to Document

10.1007/11693383_22

Fingerprint Dive into the research topics of 'Pairing-friendly elliptic curves of prime order'. Together they form a unique fingerprint.

Cite this

Barreto, P. S. L. M., & Naehrig, M. (2006). Pairing-friendly elliptic curves of prime order. In B. Preneel, & S. Tavares (Eds.), Selected Areas in Cryptography (12th International Workshop, SAC 2005, Kingston ON, Canada, August 11-12, 2005, Revised Selected Papers) (pp. 319-331). (Lecture Notes in Computer Science; Vol. 3897). Springer. https://doi.org/10.1007/11693383_22

@inproceedings{3b23a8cd86b242d6b95d27b916e4e77f,

title = "Pairing-friendly elliptic curves of prime order",

abstract = "Previously known techniques to construct pairing-friendly curves of prime or near-prime order are restricted to embedding degree k \leqslant 6 Unknown control sequence '\leqslant'. More general methods produce curves over \mathbb FpFp where the bit length of p is often twice as large as that of the order r of the subgroup with embedding degree k; the best published results achieve ¿ = log(p)/log(r) ~ 5/4. In this paper we make the first step towards surpassing these limitations by describing a method to construct elliptic curves of prime order and embedding degree k = 12. The new curves lead to very efficient implementation: non-pairing operations need no more than \mathbb Fp4Fp4 arithmetic, and pairing values can be compressed to one third of their length in a way compatible with point reduction techniques. We also discuss the role of large CM discriminants D to minimize ¿; in particular, for embedding degree k = 2q where q is prime we show that the ability to handle log(D)/log(r) ~ (q–3)/(q–1) enables building curves with ¿ ~ q/(q–1).",

author = "P.S.L.M. Barreto and M. Naehrig",

year = "2006",

doi = "10.1007/11693383_22",

language = "English",

isbn = "978-3-540-33108-7",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "319--331",

editor = "B. Preneel and S. Tavares",

booktitle = "Selected Areas in Cryptography (12th International Workshop, SAC 2005, Kingston ON, Canada, August 11-12, 2005, Revised Selected Papers)",

address = "Germany",

}

Pairing-friendly elliptic curves of prime order. / Barreto, P.S.L.M.; Naehrig, M.

Selected Areas in Cryptography (12th International Workshop, SAC 2005, Kingston ON, Canada, August 11-12, 2005, Revised Selected Papers). ed. / B. Preneel; S. Tavares. Berlin : Springer, 2006. p. 319-331 (Lecture Notes in Computer Science; Vol. 3897).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Pairing-friendly elliptic curves of prime order

AU - Barreto, P.S.L.M.

AU - Naehrig, M.

PY - 2006

Y1 - 2006

N2 - Previously known techniques to construct pairing-friendly curves of prime or near-prime order are restricted to embedding degree k \leqslant 6 Unknown control sequence '\leqslant'. More general methods produce curves over \mathbb FpFp where the bit length of p is often twice as large as that of the order r of the subgroup with embedding degree k; the best published results achieve ¿ = log(p)/log(r) ~ 5/4. In this paper we make the first step towards surpassing these limitations by describing a method to construct elliptic curves of prime order and embedding degree k = 12. The new curves lead to very efficient implementation: non-pairing operations need no more than \mathbb Fp4Fp4 arithmetic, and pairing values can be compressed to one third of their length in a way compatible with point reduction techniques. We also discuss the role of large CM discriminants D to minimize ¿; in particular, for embedding degree k = 2q where q is prime we show that the ability to handle log(D)/log(r) ~ (q–3)/(q–1) enables building curves with ¿ ~ q/(q–1).

AB - Previously known techniques to construct pairing-friendly curves of prime or near-prime order are restricted to embedding degree k \leqslant 6 Unknown control sequence '\leqslant'. More general methods produce curves over \mathbb FpFp where the bit length of p is often twice as large as that of the order r of the subgroup with embedding degree k; the best published results achieve ¿ = log(p)/log(r) ~ 5/4. In this paper we make the first step towards surpassing these limitations by describing a method to construct elliptic curves of prime order and embedding degree k = 12. The new curves lead to very efficient implementation: non-pairing operations need no more than \mathbb Fp4Fp4 arithmetic, and pairing values can be compressed to one third of their length in a way compatible with point reduction techniques. We also discuss the role of large CM discriminants D to minimize ¿; in particular, for embedding degree k = 2q where q is prime we show that the ability to handle log(D)/log(r) ~ (q–3)/(q–1) enables building curves with ¿ ~ q/(q–1).

U2 - 10.1007/11693383_22

DO - 10.1007/11693383_22

M3 - Conference contribution

SN - 978-3-540-33108-7

T3 - Lecture Notes in Computer Science

SP - 319

EP - 331

BT - Selected Areas in Cryptography (12th International Workshop, SAC 2005, Kingston ON, Canada, August 11-12, 2005, Revised Selected Papers)

A2 - Preneel, B.

A2 - Tavares, S.

PB - Springer

CY - Berlin

ER -