On the Efficient Generation of Prime-Order Elliptic Curves

AbstractWe consider the generation of prime-order elliptic curves (ECs) over a prime field $\mathbb{F}_{p}$ using the Complex Multiplication (CM) method. A crucial step of this method is to compute the roots of a special type of class field polynomials with the most commonly used being the Hilbert and Weber ones. These polynomials are uniquely determined by the CM discriminant D. In this paper, we consider a variant of the CM method for constructing elliptic curves (ECs) of prime order using Weber polynomials. In attempting to construct prime-order ECs using Weber polynomials, two difficulties arise (in addition to the necessary transformations of the roots of such polynomials to those of their Hilbert counterparts). The first one is that the requirement of prime order necessitates that D≡3mod8), which gives Weber polynomials with degree three times larger than the degree of their corresponding Hilbert polynomials (a fact that could affect efficiency). The second difficulty is that these Weber polynomials do not have roots in $\mathbb{F}_{p}$ .In this work, we show how to overcome the above difficulties and provide efficient methods for generating ECs of prime order focusing on their support by a thorough experimental study. In particular, we show that such Weber polynomials have roots in the extension field $\mathbb{F}_{p^{3}}$ and present a set of transformations for mapping roots of Weber polynomials in $\mathbb{F}_{p^{3}}$ to roots of their corresponding Hilbert polynomials in $\mathbb{F}_{p}$ . We also show how an alternative class of polynomials, with degree equal to their corresponding Hilbert counterparts (and hence having roots in $\mathbb{F}_{p}$ ), can be used in the CM method to generate prime-order ECs. We conduct an extensive experimental study comparing the efficiency of using this alternative class against the use of the aforementioned Weber polynomials. Finally, we investigate the time efficiency of the CM variant under four different implementations of a crucial step of the variant and demonstrate the superiority of two of them.

[1]  L. G. Lidia,et al.  A library for computational number theory , 1997 .

[2]  G. Frey,et al.  A remark concerning m -divisibility and the discrete logarithm in the divisor class group of curves , 1994 .

[3]  Thomas Johansson,et al.  Progress in Cryptology - INDOCRYPT 2003 , 2003, Lecture Notes in Computer Science.

[4]  F. Morain,et al.  Computing the cardinality of CM elliptic curves using torsion points , 2002, math/0210173.

[5]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1993, IEEE Trans. Inf. Theory.

[6]  T. Valente A distributed approach to proving large numbers prime , 1992 .

[7]  David Corwin Galois Theory , 2009 .

[8]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[9]  E. Berlekamp Factoring polynomials over large finite fields* , 1971, SYMSAC '71.

[10]  Takakazu Satoh,et al.  Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves , 1998 .

[11]  Bimal Roy,et al.  Progress in Cryptology —INDOCRYPT 2000 , 2002, Lecture Notes in Computer Science.

[12]  Horst G. Zimmer,et al.  Constructing elliptic curves with given group order over large finite fields , 1994, ANTS.

[13]  Christos D. Zaroliagis,et al.  On the Efficient Generation of Elliptic Curves over Prime Fields , 2002, CHES.

[14]  Christos D. Zaroliagis,et al.  On the Construction of Prime Order Elliptic Curves , 2003, INDOCRYPT.

[15]  K. Brown,et al.  Graduate Texts in Mathematics , 1982 .

[16]  Erich Kaltofen,et al.  An improved Las Vegas primality test , 1989, ISSAC '89.

[17]  Christos D. Zaroliagis,et al.  A Software Library for Elliptic Curve Cryptography , 2002, ESA.

[18]  Y. Nogami Fast Generation of Elliptic Curves with Prime Order over F_{p^{2^c}} , 2003 .

[19]  Vom Fachbereich Informatik Ecient Algorithms for Generating Elliptic Curves over Finite Fields Suitable for Use in Cryptography , 2002 .

[20]  Reinhard Schertz,et al.  Weber's class invariants revisited , 2002 .

[21]  Martin E. Hellman,et al.  An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[22]  Erkay Savas,et al.  Generating Elliptic Curves of Prime Order , 2001, CHES.

[23]  H. Dubner,et al.  Primes of the form . , 2000 .

[24]  Harald Baier,et al.  Efficient Construction of Cryptographically Strong Elliptic Curves , 2000, INDOCRYPT.

[25]  A. Miyaji,et al.  New Explicit Conditions of Elliptic Curve Traces for FR-Reduction , 2001 .

[26]  Andreas Enge,et al.  Comparing Invariants for Class Fields of Imaginary Quadratic Fields , 2002, ANTS.

[27]  Harald Baier,et al.  Efficient algorithms for generating elliptic curves over finite fields suitable for use in cryptography , 2002 .

[28]  Ian F. Blake,et al.  Elliptic curves in cryptography , 1999 .

[29]  David Naccache,et al.  Cryptographic Hardware and Embedded Systems — CHES 2001 , 2001 .

[30]  Richard A. Mollin Algebraic Number Theory, Second Edition , 2011 .

[31]  Paulo S. L. M. Barreto,et al.  Generating More MNT Elliptic Curves , 2006, Des. Codes Cryptogr..

[32]  Christos D. Zaroliagis,et al.  Generating Prime Order Elliptic Curves: Difficulties and Efficiency Considerations , 2004, ICISC.

[33]  Stephen C. Pohlig,et al.  An Improved Algorithm for Computing Logarithms over GF(p) and Its Cryptographic Significance , 2022, IEEE Trans. Inf. Theory.

[34]  J. Neukirch Algebraic Number Theory , 1999 .

[35]  Harald Baier,et al.  Elliptic Curves of Prime Order over Optimal Extension Fields for Use in Cryptography , 2001, INDOCRYPT.

[36]  C. Pandu Rangan,et al.  Progress in Cryptology — INDOCRYPT 2001 , 2001, Lecture Notes in Computer Science.

[37]  A. Atkin,et al.  ELLIPTIC CURVES AND PRIMALITY PROVING , 1993 .

[38]  Henri Cohen,et al.  A course in computational algebraic number theory , 1993, Graduate texts in mathematics.

[39]  T. Hagedorn,et al.  PRIMES OF THE FORM x 2 + ny 2 AND THE GEOMETRY OF ( CONVENIENT ) NUMBERS , 2010 .

[40]  S. Galbraith,et al.  The Probability that the Number of Points on an Elliptic Curve over a Finite Field is Prime , 2000 .

[41]  E. Kaltofen,et al.  Explicit Construction of the Hilbert Class Fields of Imaginary Quadratic Fields by Integer Lattice Reduction , 1991 .

[42]  Atsuko Miyaji,et al.  Characterization of Elliptic Curve Traces under FR-Reduction , 2000, ICISC.

[43]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2002 , 2003, Lecture Notes in Computer Science.

[44]  Andreas Enge,et al.  Modular curves of composite level , 2005 .