A new method of choosing primitive elements for Brezing-Weng families of pairing friendly elliptic curves

Transcription

1 A new method of choosing primitive elements for Brezing-Weng families of pairing friendly elliptic curves Kisoon Yoon Abstract In this paper we present a new method of choosing primitive elements for Brezing- Weng families of pairing friendly elliptic curves with small rho-value, and we improve on previously-nown best rho-values of families [0] for the cases = 6,, 8 and 46. Our construction uses xed discriminants. Introduction. Pairing friendly elliptic curves Let E be an elliptic curve dened over a nite eld F q and let r be a prime number. Let be the smallest positive integer such that the group E[r] of r-torsion points of E is contained in E(F q ). Then the group µ r of r th roots of unity lies in F q and there exist non-degenerate bilinear pairings e : G G µ r, where G and G are suitable subgroups of E[r] of order r. The existence of such pairings maes it possible to reduce the Elliptic Curve Discrete Logarithm Problem (ECDLP) [6], [] on E to the Discrete Logarithm Problem (DLP) on µ r F q time algorithms []. for which there exist sub-exponential Laboratoire de Mathématiques Nicolas Oresme, CNRS UM3 639, Université de Caen Basse- Normandie, 403 Caen cedex, France. isoon.yoon@unicaen.fr This paper was written while the author was a Ph. D. student at the Université de Caen Basse-Normandie funded by NSHC Co., Ltd., Korea. I would lie to than professor John Boxall for his advice and attention to my wor. Date: March 9, 03 Key words and phrases. Elliptic curves, nite elds, pairing-based cryptography.

2 On the other hand, on the constructive side, cryptographic protocols based on pairings were rst proposed in [3], [], [5] and many other protocols have been proposed and implementations need high speed algorithms and elliptic curves having prescribed properties. Generally, the Tate pairing is preferred to the Weil pairing for the reason of eciency. Other pairings are introduced more recently, many of which are special cases of optimal pairings introduced by Vercauteren [] and Hess []. To avoid the nown attacs mentioned above, the integer must be suciently large in order that the DLP in F is infeasible, but not so large that the computations in F q q become too slow. We dene the embedding degree of an elliptic curve E the least positive integer such that r divides q. From [], we now that E[r] E(F q ) for and that elliptic curves having of low embedding degree are very rare. There exists the heuristic asymptotic formula for the number of pairing friendly elliptic curves, which explain concretely about the rareness of such curves along the rho-values [6]. An elliptic curve is called pairing-friendly if r is suitable for cryptography and if is small. The following more precise denition suggested by Freeman, Scott et Tese [0]. Denition.. An elliptic curve E over F q is said to be pairing friendly if following two conditions are satised: () There exists a prime number r such that r q and r divides E(F q ), and () The embedding degree of E is bounded by log (r)/8. Because the embedding degree of a supersingular curve belongs to {,, 3, 4, 6} [7], [0], any supersingular curve having a subgroup of suciently large prime order is pairing friendly. It is easy to construct examples of super-singular elliptic curves (See Ÿ 3 of [0] for details). But for higher security levels higher embedding degrees are more appropriate so ordinary elliptic curves must be used. The existence of an ordinary elliptic curve E of embedding degree over a nite eld F q with q elements such that E(F q ) contains a subgroup of order r implies existence of integers t, D and y such that () q is a prime or a power of prime. () r is a prime. (3) t is relatively prime to q. (4) (t ) + Dy 0 (mod r).

3 (5) Φ (t ) 0 (mod r) where Φ (x) is the -th cyclotomic polynomial. (6) 4q t = Dy where D is a square-free integer, and y is an integer. The integer t is the trace of the Frobenius endomorphism of E over F q so that #E(F q ) = q + t. Deuring [8] showed that, if t is an integer satisfying the condition (3), then there exists an ordinary elliptic curve over F q the number of points of which equals to q + t. The condition (6) means that the endomorphism ring of E is an order in the imaginary quadratic eld Q( D). Because the diculty of explicit construction of E increases rapidly with the size D, in practice D has to be small enough. So, it is desirable to consider D as constant. Therefore we can formulate the problem of the construction of pairing friendly ordinary elliptic curves as follows. Given and D, nd the integers q, t, r and y that satisfy the conditions from () to (6). For eciency, it is preferable that the eld size q is as small as possible with respect to r. So, as a measure of estimating elliptic curves, we dene rho-value of an elliptic curve as follows ρ = log q log r. () Since t q, a rho-value is at least one. Naturally, the nearer to one is the rho-value, the better is an elliptic curve estimated. Fix an integer and a positive square-free integer D. A parametrized family of pairing friendly elliptic curve is a system of polynomials having rational coecients r(x), t(x), q(x) that represent simultaneously integers r, t, q that satisfy the conditions from () to (6). If there exist innitely many solutions of the equation t(x) 4q(x) = Dy, we call the family a sparse family, and furthermore if y can be parametrized as y(x) a polynomial of x, we call the family a complete family. With the polynomials r(x) and q(x) of a family, we dene the rho-value of the family by ρ x = deg q(x) deg r(x). () A number of dierent constructions of sparse families and complete families can be found in the literature. A very detailed survey of results obtained up to about 00 is in [0]. 3

4 . The Brezing-Weng method In [7], Brezing and Weng proposed a general method of constructing complete families by means of algebraic extension of Q. We recall a mild generalization of the algorithm. Fix an embedding degree and a square-free positive integer D. A primitive -th root of unity is denoted by ζ. The following is a brief description of the Brezing-Weng algorithm. Note that the output contains y(x) because it produces complete families. Algorithm.. Brezing-Weng method. INPUT: : positive integer, D: a square-free positive integer OUTPUT: A complete family of elliptic curves (r(x), t(x), y(x), q(x)). Choose an irreducible polynomial r(x) such that D, ζ Q[x]/(r(x)). Let α be the image of x in Q[x]/(r(x)) under the canonical isomorphism.. Calculate polynomials t(x) and y(x) Q[x] such that t(α) = ζ + and y(α) = (t(α) ) D D. 3. Let q(x) = 4 (t(x) + Dy(x) ) Q[x]. 4. If t(x) and y(x) represent integers, q(x) represents prime numbers, and r(x) represents almost prime numbers, then OUTPUT((r(x), t(x), y(x), q(x))). Otherwise go to. The element α in the algorithm is a primitive element of the eld K = Q[x]/(r(x)). We say that the polynomials r(x), t(x), y(x) and q(x) are associated to α. The polynomial r(x) is often taen to be a cyclotomic polynomial, i. e. a root of unity is taen as the primitive element of the eld extension K/Q where K = Q(ζ, D). Kachisa, Schaefer and Scott [4] have used primitive elements other than roots of unity to construct some Brezing-Weng families having smaller rho-values. The article of Freeman, Scott and Tese [0] propose various constructions of complete families based on the method of Brezing-Weng. The table 5 of [0] presents the best rho-values of existing families for 50 nown before about 00. Improvements in rho-values arising from so-called variable discriminant families have recently been obtained in [9]. 4

5 Primitive elements of the proposed form. Introduction Fix an embedding degree and let D be a square-free positive integer. Let ζ be a primitive -th root of unity. Let D a square root of D. From now on K always denotes the extension eld Q(ζ, D). Note that K = Q(ζ ) when D Q(ζ ). The conditions that D Q(ζ ) are discussed in [8]. We consider an element of the form α = α(a, b, D, ) = (a + b D)ζ K (3) where a and b are rational numbers. We rst study the conditions α to be a primitive element of the extension K/Q. Remar.. In some cases, α is a primitive element of K for some chances of ζ and D, but not for others. This can only happen when D Q(ζ ). See the proof of the Theorem.6 for details of the cases when this happens. Proposition.. Let α be as in (3). We can write the -th power of the equality as α = A + B D, (4) where A, B Q. If B 0, then α is a primitive element of the extension K/Q. Proof. Let r(x) be the minimal polynomial of α such that Q(α) = Q[x]/(r(x)). From (4), we now that α is a root of the polynomial r 0 (x) = x Ax + A + DB. If B 0, then from (4) we obtain D = x A in Q[x]/(r(x)). From (3) and using the fact that B r(x) divides r 0 (x), we obtain a representation ζ = bx+ +(ab+ab)x in Q[x]/(r(x)). As a B(a +b D) consequence, because both D and ζ are in Q(α), we have K = Q(ζ, D) Q(α). By the denition of α, clearly Q(α) K. Therefore K = Q(α). Remar.3. In the proof of the Proposition., we obtain the representations of ζ and D in Q[x]/(r(x)) under the condition that B 0, from which we obtain immediately the polynomial representations t(x) = ζ +, y(x) = D(ζ ) and can compute q(x) = D 4 (t(x) + Dy(x) ). This procedure gives an outline of our construction, which is detailed in Ÿ.. In the cases where B = 0, there are triplets (a, b, D) such that α(a, b, D) is not a primitive element. We shall discuss this in Theorem.6. 5

6 Lemma.4. Let ξ = a + b D where a, b Q, b 0 and D is a square-free positive integer. Let be a positive integer. Then ξ is a rational number if and only if one of followings holds. (i) and ξ = r D, or (ii) 4 and ξ = r( ± ), or (iii) 3 and ξ = r( ± 3), or (iv) 6 and ξ = r(3 ± 3), for a nonzero rational number r. Proof. Note that we have b 0 and > 0 in the assumption. Dene T (a, b, D) = { Z ξ Q}. We have ξ = ξ where ξ is the complex conjugation of ξ, so ξ ξ =. ( ) If T (a, b, D), then T (a, b, D) also, and ξ ξ {, }, because the quotient is a rational number of absolute value. Therefore ξ ξ the quadratic eld Q( D). is a -th root of unity contained in (a) Suppose that D, 3, then the only roots of unity contained in Q( D) are and. We have then a b D = a + b D or a b D = (a + b D). In the rst case, b = 0 which contradicts the assumption. In the second case, a = 0 and T (a, b, D) = Z with ξ = b D. (b) Suppose that D =. Let us write i for. The roots of unities in Q(i) are ± and ±i. If a bi = a + bi, then we have b = 0, a contradiction. If a bi = (a + bi), then we have T (a, b, D) = Z with ξ = bi. If a bi = ±i(a + bi), then we have T (a, b, D) = 4Z with ξ = a( i). (c) Suppose that D = 3. Let us write j for + 3. The roots of unities in Q( 3) are j, j, j 3 =, j 4 = j, j 5 = j, j 6 =. In the cases of ±, we obtain again T (a, b, D) = Z with ξ = b 3. If a b 3 = j ± (a + b 3), then T (a, b, D) = 3Z with ξ = a( 3). If a bi = j ± (a+b 3), then T (a, b, D) = 6Z with ξ = a 3 (3 3). Before discussing the main theorem, we recall some facts that will be used in the proof. Let K = Q(ζ, D). Note that the extension K/Q is Galois because the extensions Q(ζ )/Q and Q( D)/Q are both Galois [5]. Recall that an element α K is a primitive element if and only if the only group element of Gal(K/Q) which xes α is the identity. Consider the action of Gal(K/Q) on α = (a+b D)ζ. There exists an injective 6

7 homomorphism ψ : Gal(K/Q) Gal(Q( D)/Q) Gal(Q(ζ )/Q) = { ±} (Z/ Z) via. σ (ɛ(σ), u(σ)) which acts as σ((a + b D)ζ ) = (a + bɛ(σ) D)ζ u(σ). If D / Q(ζ ) then ψ is surjective and is therefore an isomorphism, in which case for all σ Gal(K/Q) there exists σ such that ɛ( σ) = ɛ(σ) and u( σ) = u(σ). But if D Q(ζ ), the sign ɛ(σ) is no longer independent from u(σ). To study the values of ɛ(σ) where D Q(ζ ), we can use representation of D in ζ. For an odd prime p who divides, ζ p as a primitive p-th root of unity satises the equality of the p-th cyclotomic polynomial Φ p (x) = x p +x p + +x+ = i p p i= (x ζ ), from which we obtain p = Φ p () = i p p p i= ( ζ ) = ( ) p i i p i= (ζ ζ p ). Therefore ( p i p i= (ζ ζ i p )) = ( ) p p in Q(ζ ). If 4 then (ζ 4 ) =, and if 8 then, (ζ 8 ζ 4 ( + ζ 4 )) =. Lie this we can represent the square roots of ±p, and in terms of a primitive root of unity ζ. For more detailed description about this procedure, refer to [8]. Lemma.5. Suppose that 4 and D Q(ζ ). Then the map σ : ζ ζ + to Gal(K/Q) and σ( D) = ( ) (D+) 8 D. belongs Proof. Since 4, we have gcd( +, ) =, so the map σ : ζ ζ + belongs to Gal(Q(ζ )/ζ ). If D 3 (mod 4), then by above procedure we can choose ζ such that D = p p D j=0 (ζ p j ζ p j ) and, because are all even because 0 (mod 4), p so D is invariant under σ, therefore ɛ(σ) =. If D (mod 4), then we choose p j=0 (ζ p j ζ p j ) and see that the exponent 4 ζ such that D = ζ 4 p D is even, if 0 (mod 8), and is odd if 4 (mod 8) while the exponent is always even, p therefore ɛ(σ) = ( ) 4. If D (mod 4), then we must have 8 and we choose ζ such p j=0 (ζ p j that D = ζ 8 ζ 4 ( + ζ 4 )(ζ 4 ) r p D ζ p j ) and, because the exponent is 8 even, if 0 (mod 6) and is odd, if 8 (mod 6) while the exponent and are p 4 always even, therefore ɛ(σ) = ( ) 8. We can summarize all the results in one formula as ɛ(σ) = ( ) (D+) 8. Note that ɛ(σ) taes always on integers even if D is even because in such a case 8. Theorem.6. Let a, b Q and D is a square-free positive integer and suppose b 0. There always exists a choice of ζ and d that α = (a+b D)ζ is a primitive element of the eld extension Q(ζ, D)/Q, except in the following cases: (i) D =, a = b and 8 (mod 6). 7

8 (ii) D / Q(ζ ), a = 0 and 0 (mod 4). (iii) D Q(ζ ), a = 0, 4 and (D + ) 8 (mod 6). Proof. If we tae -th power of the equality α = (a + b D)ζ, we obtain α = A + B D where A, B Q. If B 0, by the proposition., α is a primitive element. Now suppose B = 0. By the lemma.4 this occurs if and only if one of the followings holds : (a) a = b and D = with 4, or (b) a = b and D = 3 with 3, or (c) a = 3 b and D = 3 with 6, or (d) a = 0 and. We now study the conditions in order for α to be a primitive element in each of these cases. (a) In this case we can write α = b(+ɛ 0 )ζ with ɛ 0 xed as or. If we choose ζ such that ζ 4 =, then α = b(ζ + ζ 4 + ), and the only non-trivial automorphism which xes α is ζ ζ 4 + with ( + 4 ) (mod ), which is possible only when 8 (mod 6). If we choose ζ such that ζ 3 4 =, then α = b(ζ + ζ ) can be xed by the automorphism ζ ζ with ( ) (mod ), and is possible when 8 (mod 6) again. Therefore α = b( ± )ζ cannot be a primitive element when 8 (mod 6). (b) We can write, up to the sign of b, α = b( + ɛ 0 3)ζ with ɛ 0 xed as or. = +ɛ 0 3 When 6 (mod 9), we choose ζ such that ζ 3, then α = b( +ɛ 0 3)ζ = bζ 3 + is primitive because gcd( +, ) =. When 3 (mod 9), we choose ζ 3 such that ζ 3 = +ɛ 0 3, then α = b( + ɛ 0 3)ζ = bζ 3 + is primitive because gcd( +, ) =. 3 (c) We can write, up to the sign of b, α = b(3 + ɛ 0 3)ζ with ɛ 0 xed as or. = +ɛ 0 3 When 4 (mod 36), we choose ζ such that ζ 6, then α = b(3 + 3)ζ = b(ζ 6 + +ζ ) is primitive. Indeed the only non-trivial automorphism which xes α is ζ ζ 6 + with ( + 6 ) = (mod ), which exists only when 4 (mod 36). When (mod 36), we choose ζ such that ζ 5 6 = +ɛ 0 3, then α = b(3 + 3)ζ = b(ζ ζ ) is primitive by the similar reason. (d) Suppose at rst that 4. Then we can tae -th power of α = b Dζ to obtain α = B Dζ with B 0 Q because is odd, so that we have D = α B and ζ = α +, which shows that α is a primitive element. bbd Next we suppose that 4. Then we now that Gal(Q(ζ, D)/Q) contains an element σ such that σ(ζ ) = ζ + = ζ because gcd( +, ) =. Moreover, if σ satises the condition σ( D) = D, then σ will be a non-trivial automorphism satisfying 8

9 σ( Dζ ) = ( D)( ζ ) = Dζ. When D / Q(ζ ), we have Gal(Q( D)/ Q) = {±} (Z/Z), so such an element σ always exists and therefore α cannot be primitive. When D Q(ζ ), we now by Lemma.5 that α is not primitive if and only if σ( D) = ( ) (D+) 8 D = D, from which we obtain (D + ) 8 (mod 6).. The main strategy In the remar.3, we mentioned the idea to nd the polynomial representations of D and ζ in Q[x]/(r(x)). We now discuss the method of construction more precisely. For an embedding degree and a square-free positive integer D, we dene n = n(, D) := the least positive divisor of such that ζ n Q( D). Then, taing the n-th power of the equality α = (a + b D)ζ, we obtain α n = (a + b D) n ζ n = A + B D Q( D) for A, B Q. Then α is a root of the polynomial r 0 (x) = x n Ax n + A + DB. The minimal polynomial r(x) of α is a factor of r 0 (x). Assume that we have chosen a, b, D and such that B does not vanish. Then we obtain the representations D = αn A and ζ B = bαn+ +(ab+ab)α in Q(α) as B(a +b D) in Proposition.. It follows the polynomial representations in Q[x]/(r(x)), y(x) = t(x) = ζ + = bxn+ + (ab + Ab)x B(a + b D) D(t(x) ) D = axn+ + (bdb aa)x DB(a + Db ) +. (5) + xn A DB These polynomials give a candidate for a Brezing-Weng family together with the minimal polynomial r(x) and the prime representing polynomial q(x) = 4 (t(x) + Dy(x) ). If t(x) and y(x) represent integers, q(x) represents prime numbers and r(x) represent almost prime numbers, then the polynomials give a Brezing-Weng family of rho-value (6) ρ x = deg q(x) deg r(x) = max {deg t(x), deg y(x)} deg r(x) = (n + ) e(, D)ϕ(), (7) where ϕ is the Euler totient function and e(, D) is or according to whether D belongs to Q(ζ ) or not. Note that above representations are the results of reduction modulo r 0 (x) in the place of reduction modulo r(x), so that the degrees of the polynomials t(x) and y(x) are both 9

10 equal to n +, greater by one than the degree of the second most signicant term of r 0 (x). Because the rho-value is given by (7), the formula is interesting only when n + < deg r(x) = e(, D)φ(). Otherwise we can reduce (5) and (6) modulo r(x) which results in a smaller rho-value, although the resulting t(x) and y(x) may no longer represent integers. We present rho-values obtained by this construction in some interesting cases in Ÿ3, and treat the problem of the representability of integers of the polynomials in Ÿ4..3 Some alternatives On the other hand the analysis of the case (a) in the proof of the Theorem.6 suggests an alternative construction where 4 and D =. Suppose 8 (mod 6), then by the theorem α is a primitive element. Since 4 (mod 8), we have gcd( +, ) =. 4 Let u be an integer such that u( + ) (mod ). Because gcd(u, ) =, 4 ζu is also a primitive root of unity, so we can let = ζ u 4. Let α = b( + )ζ u. Taing the square of this equality we obtain α = b ζ u = b ζ u( 4 +) = b ζ, and +4 = ( ) 8 ζ 4 = ( ) +4 x 8, from which we have 4 b t(x) x x +, y(x) b b x + 4 b (mod r(x)), (8) where r(x) is the minimal polynomial of α. Note that y(x) is determined up to sign. Because α is in Q(ζ ), the minimal polynomial r(x) will be a polynomial factor of degree ϕ() of Φ ( x ) where Φ b is the -th cyclotomic polynomial. Because 4 and deg(t(x)) =, to have a good rho-value, we need that y(x) is of degree near ϕ(), which is generally not liely to happen. The simplest case where = 4 and a = b = gives the polynomials t(x) = y(x) = x, q(x) = x, r(x) = x x + that mae a family having ρ x =. This is a supersingular family over a eld of characteristic two. The case where = and a = b = gives another example of ρ x =, t(x) = x +, y(x) = x + x, q(x) = 8 x4 4 x x x +, r(x) = x4 x 3 + x 4x + 4. But in this case q(x) does not tae integer values, so it does not mae a family. On the other hand, because all the exponents of b in the polynomials in (8) are even, if we tae b = C for some square-free C Z, the polynomials t(x) and y(x) still remain in Q[x]. If we tae C = D for another D such that D Q(ζ ), then α = ( D + D)ζ. By the similar reason as above, the families constructed are not expected to have good rho-values generally. But if we apply this primitive element to the case where = and D = 3 we obtain a family of ρ x =, which is found in [3]. 0

11 If we tae C such that C / Q(ζ ), then Φ ( x ) will remain irreducible therefore as C the minimal polynomial of α of degree ϕ(). This alternative can give acceptable families of ρ x = +4 ϕ(). For example, if we choose = 4p for a prime p, we have ρ x = + p. 3 Application of the main strategy to some interesting cases 3. The cases where is odd and D / Q(ζ ) We continue using the symbols dened in Ÿ. Fix D such that D / Q(ζ ). Because is odd and D / Q(ζ ), we have n =. By the process described in Ÿ., we obtain t(x) = bx+ + (ab + ba)x B(a + Db ) y(x) = ax+ + (bdb aa)x DB(a + Db ) +, + x A DB Q[x]. (9) Because D / Q(ζ ), we have deg r(x) = ϕ() and deg q(x) = +. So we have ρ x = deg q(x) deg r(x) = + φ(). (0) From this formula we observe that the bigger the size of each prime factor and the smaller the number of the prime factors, the nearer the approaches rho-value to. For example, for = p l a power of a prime, we have ρ x +. In particular, when = p p a prime, the rho-value is +, from which come the best results. We see that the p rho-value depends much on the least size prime factor of. For example, if is even, then the prime factor p = maes rho-value bigger than without exception, so this method is useless for even. Table shows the rho-values obtained by the construction for odd embedding degrees 60. In the table, we see also that the cases where contains prime factors 3, 5 give relatively large rho-values ρ x ρ x Table : ρ x obtained for odd < 60, D / Q(ζ ), n =

12 Remar 3.. In the table, we can see that the ρ x are the same as those given in [0] when =, 5, 7,, 3, 7, 9, 3, 5, 9, 3, 35, 37, 4, 43, 47, 49. Our results are worse in the cases where contains 3 as we have predicted, for which cases we have to use another powering exponent n. See Ÿ3.3 for the cases where 3 divides. 3. The cases where is even and D / Q(ζ ) Note that these cases contain all of our improved results. Fix D such that D / Q(ζ ). Because is even and D / Q(ζ ), we have n =. By the process described in Ÿ., we obtain t(x) = bx + + (ab + ba)x B(a + Db ) y(x) = ax + + (bdb aa)x DB(a + Db ) +, Because deg r(x) = ϕ() and deg q(x) = +, we have + x A DB Q[x]. () ρ x = + φ(). () In this case two cases are particularly interesting. For = l p (l ) where p is a ( ) prime 3, we have ρ x = + p +. For = l (l ), we have ρ l x = +. l Table shows the rho-values that can be obtained by our construction Ÿ3. for even embedding degrees ρ x ρ x Table : ρ x obtained for even, D / Q(ζ ), n = Remar 3.. In the table, the mared entries mean that they are the ρ x smaller than those of previously nown families. We see that = 6,, 8, 40 and 46 are such cases. We oer some examples for these cases in Ÿ5 except for = 40. Remar 3.3. For the other cases = 4, 8, 0, 4, 0, 6, 3, 34, 38, 44, 50, the ρ x are the same as those given in [0]

13 3.3 The cases where 3, 4 or 6 and D Q(ζ ) From the previous constructions Ÿ3. and Ÿ3., resulting rho-values are relatively large where the contains small prime factors lie, 3 or 5. But we can still improve the result by taing n less than for certain cases. Indeed, the improvements of Ÿ3.3 were for the cases where we can tae n =, i.e where is even. To lower n, we need that Q(ζ n) Q( D). The only cases except n =, are the cases, (a) 3, D = 3, n =, 3 (b) 4, D =, n =, (c) 6, D = 3, n =. These are possible because the cyclotomic 4 6 elds Q(ζ 3 ) = Q(ζ 6 ) and Q(ζ 4 ) are quadratic elds Q( 3) and Q( ) respectively. Therefore, this ind of trial does not wor for the case where 5. We construct families along the method described in Ÿ., and have +6 if 3 3φ() ρ x = +4 if 4 φ() +6 if 6 3φ() (3) Table 3, table 4 and table 5 shows the rho-values for 60 when n = 3, 4 and 6 for the cases where 3, 4 and 6, respectively. We put the rho-values less than in the tables. We can verify that the rho-values are relatively large when n = and, 3 and also when n = and 3 by the small factor eects that we have mentioned in the analysis in Ÿ3.. This eect does not appear when n = ρ x Table 3: ρ x obtained when 3, D = 3 Q(ζ ), n = 3 Remar 3.4. In the table 3, we can see that the ρ x are the same as those given in [0] when = 9, 5,, 7, 33, 39, ρ x Table 4: ρ x obtained when 4, D = Q(ζ ), n = 4 3

14 Remar 3.5. In the table 4, we can see that the ρ x are the same as those given in [0] when = 6, 8, 40. Note that all these cases are contained in the cases of Ÿ3. and better results are shown in the table ρ x Table 5: ρ x obtained when 6, D = 3 Q(ζ ), n = 6 Remar 3.6. In the table 5, we can see that the ρ x are the same as those given in [0] when = 8, 4, 30, 36, 4, 48. Note that in these cases, these results are better than those of Ÿ3.. Remar 3.7. In the case where 8, because Q(ζ ), we can also tae α = (a + b )ζ using n =. 8 4 Evaluation of the polynomials and the algorithm In this section, we discuss the structure and calculation of the set of rational numbers x 0 for which f(x 0 ) is an integer, f being a polynomial with rational coecients. Then we apply this to the polynomials r(x), t(x), y(x) and q(x) appearing in the polynomial families. We also recall the situation in which r and q represent primes, as predicted by the Bateman-Horn heuristics [4] (see also [0], Ÿ.). Numerical examples will be given in Ÿ5. 4. Study of polynomials representing integers The problems of the representations of integers and prime numbers when the variable x taes on integer values are well treated in [0] in practical points of view. In our construction, all variables are dened as rational variables. So we discuss briey how to reduce this case to that of integral variables. We begin with a denition. Denition 4.. Let f(x) Q[x]. We say that f represents integers, if f(q) Z. Dene V Z (f) = f(q) Z, D Q (f) = f (V Z (f)) = {x Q f(x) Z}. 4

15 If f(x 0 ) Z then f(x ) Z for every rational number x congruent to x 0 modulo the common denominator of the coecients of f(x). We deduce that if f represents integers, then f(q) Z =. Denition 4.. Let m. Two m-tuples of polynomials (f,, f m ) and (g,, g m ) are said to be anely equivalent if there exists λ, µ Q with λ 0 such that g i (x) = f i (λx + µ) for all i {,..., m}. When this is the case, we write (f,..., f m ) (g,..., g m ). Note that if f(x) g(x), then we have V Z (f) = V Z (g) clearly. Let f(x) a polynomial of degree in Q[x] and write f(x) = g(x) m where g(x) = g nx n + g n x n + + g x + g 0 Z[x], gcd(m, g n,, g 0 ) = and m is an integer. (4) We want to nd D Q (f). For a rational number u, where u, v Z and gcd(u, v) =, if v f(u ) Z, then we need v that g n u n + g n u n v + + g uv n + g 0 v n 0 (mod mv n ). Since gcd(u, v) =, v must divide g n. Consequently, for every element x D Q (f), we can let x = w g n where w Z and gcd(w, g n ). Substituting this x into (4), we obtain w n + g n w n + + g 0 g n n 0 (mod mg n n ). (5) If an integer w = w is a solution of the congruence (5), then the rational numbers x = w g n (mod mgn n ) satises f(x ) Z. This process gives the set D Q (f). Proposition 4.3. (i) If a polynomial f(x) Q[x] is of the form f(x) = g(x) m m Z and g(x) Z[x] has a leading coecient or, then D Q (f) Z. where (ii) For a given polynomial f(x) Q[x], we can determine explicitly a polynomial h(x) Q[x] such that V Z (f) = V Z (h) and D Q (h) Z. Proof. (i) By the above discussion, the denominator of an element of D Q (f) should divides the leading coecient of g(x). So, if the leading coecient of g(x) is or, then we have D Q (f) Z. 5

16 (ii) Suppose that f(x) is of the form (4). By the change of variable x x g n, we obtain a polynomial h(x) = xn +g n x n +g n g nx n + +g gn n x+g 0 gn n. We have V Z (h) = V Z (f) gn n m because h(x) = f( x g n ) f(x), and D Q (h) Z because h(x) satises the conditions of (i). Denition 4.4. Let us we write a polynomial f(x) Q in the form (4). Then f(x) is called normalized if the leading coecient of g(x) is or. If a normalized polynomial h(x) is anely equivalent to a polynomial f(x), we say that h(x) is a normalization of f(x), and the polynomial f( x g n ) is called the standard normalization of f(x). In view of the Proposition 4.3, to nd V Z (f) for a polynomial f(x) in Q[x], we can wor with its standard normalization. 4. Application to the polynomials t(x), y(x), r(x), q(x). In our construction, we assumed that x, a, b tae rational values, using Ÿ 4., we now see that they can be assumed to be integers. Proposition 4.5. Let r α (x), t α (x), y α (x), q α (x) be the polynomials associated to α = (a+ b D)ζ where a, b Q and b 0 as in Ÿ.. Then there exists α = (a + b D)ζ, where a, b Z and b > 0 such that the associated polynomials r α (x), t α (x), y α (x) and q α (x) satisfy (r α (x), t α (x), y α (x), q α (x)) (r α (x), t α (x), y α (x), q α (x)). Proof. Let α = (a + b D)ζ, where a, b Q, be a primitive element. Let c Z, c > 0 be such that ac and bc are integers. It suces to tae α = cα choosing the sign of c so that bc > 0. In view of Proposition 4.5, we assume from now on that a, b Z and that b > 0. Then the problem of nding D Q (t) D Q (y) D Q (q) D Q (r) is related to the solvability of a system of polynomial congruences modulo each denominator. The main problem is to solve the system of two congruences corresponding (5) and (6) as follows. bx n+ + (ab + Ab)x 0 (mod B(a + b D)), ax n+ (a + Db )x n + (bdb aa)x + A(a + Db ) 0 (mod DB(a + Db )). (6) In order to determine D Q (t) D Q (y) D Q (q) D Q (r) Z, it suces that one of t(x), y(x), r(x) and q(x) is normalized. So we can replace the congruences (6) by those associated to a normalized tuples of polynomials. Note that the change of variable for the normalization should be simultaneous for multiple congruences. 6

17 Proposition 4.6. In the cases of Ÿ3. and Ÿ3., i.e. when n = or, the polynomial t(x) is normalized. Proof. In these cases we have (a + b D) n = ±(A + B D) with A, B Z. From the binomial expansion of the left hand side we obtain B = b n ( n r=0 r+) a n r b r ( D) r, from which we nd that b always divide B. Hence, (5) changes to t(x) = xn+ +(ab +A)x + B (a +Db ) where B = B Z, which is a normalized polynomial. b So for the constructions of Ÿ3. and Ÿ3., we need not a normalization process separately. Note that for other constructions Ÿ3.3, this proposition is not true. We obtain the solutions of the congruences (6) in the form x = x 0 + NX where x 0 and N are xed integers and X is a integer variable. We substitute this into t(x), y(x) and r(x) to obtain polynomials T (X) = t(x 0 + NX), Y (X) = y(x 0 + NX), R(X) = r(x 0 + NX) Z[X]. Then the divisibility conditions Φ (t(x) ) 0 (mod r(x)) and (t(x) ) + Dy(x) 0 (mod r(x)) that hold in the ring Q[x] become Φ (T (X) ) = G(X)R(X), and (T (X) ) + DY (X) = H(X)R(X), (7) for some polynomials G(X), H(X) Q[X]. Note that R(X) Z[X] automatically because r(x) Z[x]. Because Φ (T (X) ), (T (X) ) + DY (X), R(X) are all in Z[X], we can write, by an application of the Gauss' lemma on polynomial [5], that G(X)R(X) = c(g)c(r)g (X)R (X) and H(X)R(X) = c(h)c(r)h (X)R (X) where G (X), H (X) and R (X) are primitive polynomials Z[x], and c(g)c(r), c(h)c(r) Z. Here c(f ) means the content of the polynomial F (X). Therefore we can write Φ (T (X) ) = G (X)R (X), and (T (X) ) + DY (X) = H (X)R (X), (8) for G (X), H (X), R (x) Z[x]. So if we replace R(X) by R (x), the divisibility conditions hold in the ring Z[X], so that the divisibility conditions also hold among the integers represented by the corresponding polynomials. Lastly, if Q(X) = q(x 0 + NX) = {T 4 (X) + DY (X) } represents primes we obtain a family. Note that for a pair of integers t and y randomly obtained, the probability that t + Dy 0 (mod 4) is when D 3 mod 4, and is when D mod

18 4.3 Algorithmic and computational aspects The following algorithm describes the method of nding families of pairing friendly elliptic curves by the main strategy (Ÿ.). We assume that the inputs are chosen so that one of the exceptional cases in the Theorem.6 does not occur. Algorithm 4.7. Constructing families of pairing-friendly elliptic curves - The main strategy. INPUT:, n: positive integers, D: a square-free positive integer, L, M: positive integers OUTPUT: A list of complete families of elliptic curves (r(x), t(x), y(x), q(x)) or an empty list VARIABLES: a, b, n, X, LIST.. If then If 3 then let n =, otherwise let n = 3. Else if then If 3 then let n =, otherwise let n = 6. (Optional: If 4 and 3 then we can let n = 4 ). Set LIST =. 3. For a from L to L, b from to M do 3.. Let α = (a + b D)ζ. 3.. Find A and B such that A + B D = α n Let t(x) = bxn+ +(ab+ab)x +, B(a +b D) y(x) = axn+ +(bdb aa)x + xn A, DB(a +Db ) DB r 0 (x) = x n Ax n + A + DB Find the minimal polynomial r(x) of α from the factors of r 0 (x) Replace the polynomials r(x), t(x), y(x) by their normalizations. Let t(x) = g (x) m, y(x) = g (x) m for g, g Z[x], m, m Z. 8

19 3.6. Find the integer solutions of the congruences. g (x) 0 (mod m ), g (x) 0 (mod m ). Let the solutions x = x i + N i X (i =,, l) For i from to l do 3.7. Let T (X) = t(x i + N i X), Y (X) = y(x i + N i X), Q(X) = T (X) +DY (X) 4, R(X) = r(x i + N i X) If Q(X) represent prime numbers then let R (X) = R(X) c(r(x)), and add (R (x), T (x), Y (x), Q(x)) to LIST. 4. OUTPUT(LIST ). 5 Examples In this section, we give some example families constructed by the proposed method. First four examples where n = brea the records of ρ x values when = 6,, 8 and 46. The other three examples for the cases where 3, 4 and 6 respectively, are oered to show that our method is useful for another. The computations are performed by codes of GP/PARI calculator version.3.4 in a computer of 4 GHz CPU and 6 GB memory. Example 5.. = 6, D = 9, n =, a =, b = 9, r(x) = x x , t(x) = ( x x ), y(x) = (x9 540x x ), q(x) = (x8 x x x x x x x ). We see that ρ x =.5, and t(x), y(x) represent integers and q(x) represents primes and r(x) represents almost primes where x = X, etc. for X Z. For example, we obtain a numerical example when X = 88, r 0 = (447-bit), t 0 = , q 0 = (69-bit), with ρ =.70. For = 6, another parameters D = 83, n =, a =, b = 9 also gives an example. 9

20 Example 5.. =, D = 3, n =, a = 3, b = r(x) = x 0 + 6x 9 + 5x 8 36x 7 53x 6 430x 5 349x x x x 68x x x x x x x x x x , t(x) = 3490 x x +, y(x) = x x x , q(x) = x x x x x x x x We see that ρ x =.00, and t(x), y(x) represent integers and q(x) represents primes and r(x) represents almost primes when x = X, etc. for X Z. For example, we obtain a numerical example when X = 99, r 0 = (835-bit), t 0 = , q 0 = (03-bit), with ρ =.35. For =, another parameters D =, n =, a =, b = also gives an example. Example 5.3. = 8, D =, n =, a =, b =, r(x) = x 4 +0x +56x 0 +40x x x x x x x x x t(x) = (x x ) y(x) = ( x5 x x ) q(x) = (x30 +x 9 +x x x x x x ) We see that ρ x =.50 and t(x), y(x) represent integers and q(x) represents primes and r(x) represents almost primes where x = X, etc. for X Z. For example, we obtain a numerical example when X = 0, r 0 = (738-bit), t 0 = , q 0 = , (003-bit), with ρ =.80. Example 5.4. = 46, D =, m =, a = 3, b =, r(x) = x x x x 4 + 6x 40 44x x x x x x x x x x x x x x x x x 3 + 0

21 x x x x x x x x x x x x x x x x x x x x x x , t(x) = (x x ), y(x) = (3x4 + 3x x ), q(x) = (x48 + 6x x x x x x x ). We see that ρ x =.090 and t(x), y(x) represent integers and q(x) represents primes and r(x) represents almost primes when x = X, etc. for X Z. For example, we obtain a numerical example when n = 6, r 0 = (4094-bit), t 0 = , y 0 = , q 0 = (4466-bit), with ρ =.090. Example 5.5. For = 7, D = 3, n =, a =, b =, 3 r(x) = x 8 475x , t(x) = 476 x x +, y(x) = x x x , q(x) = x x x8 475/ x x x x x This family has ρ x =., and t(x), y(x) represent integers and q(x) represents primes and r(x) represents almost primes where x = X, etc. for X Z. Example 5.6. For = 8, D = 7, n =, a =, b =, 4 r(x) = x 8 6x , t(x) = 9 (x5 6x + 9), y(x) = 344 ( x5 8x 4 76x 64), q(x) = 904 (x0 + x 9 + 8x 8 + 6x x 5 + 8x x 560x ) This family has ρ x =.50. t(x), y(x) represent integers and q(x) represents primes and r(x) represents almost primes where x = X, etc. for X Z. Note that

22 we tae D = 7 which is dierent from that of table 8. of [0]. Example 5.7. For = 36, D = 3, n =, a =, b =, 6 r(x) = x + 683x , t(x) = 59 x x +, y(x) = x7 + x x + 683, q(x) = 8749 x x x x x x x x This family has ρ x =.67, and t(x), y(x) represent integers and q(x) represents primes and r(x) represents almost primes where x = X, etc. for X Z. 6 Conclusion and perspectives We have proposed a new method of choosing primitive elements for Brezing-Weng families of pairing friendly elliptic curves. The proposed method improves the rho-values of the families for the case where embedding degrees = 6,, 8 and 46. We have summarized the improved results in table 6. ρ x D deg r(x) Constr. 6.5 Some xed (eg. 9, 83) 6 Ÿ3..00 Some xed (eg., 3) 0 Ÿ Some xed (eg. ) 4 Ÿ Some xed (eg. ) 44 Ÿ3. Table 6: Improved rho-values of families obtained by the proposed method Indeed, the method can be considered a ind of generalization of the the methods proposed in [0], [4] and [3]. This explains why our method arrives at the existing records of rho-values for the remaining embedding degrees. Note that the choice of D in our method is relatively free compared to another methods that use xed discriminants. In fact, this provides a cause of the improvement in the rhovalues by increasing the degree of polynomials concerned. We can see in the table several example D values for each, and another many choices are possible. The table of Ÿ3. shows that the rho-value of a family obtained by our method can be improved also for the case of = 40. We give no example for this case at present, because of some implementation problem. However, we conjecture that a little improvement of strategy will give examples.

23 References [] Leonard Adleman and Jonathan DeMarrais, A subexponential algorithm for discrete logarithms over all nite elds, Algorithmic Number Theory. LNCS 877 (994), [] Ramachandran Balasubramanian, Neal Koblitz, The Improbability That an Elliptic Curve Has Subexponential Discrete Log Problem under the Menezes - Oamoto - Vanstone Algorithm, J. Cryptology (998), [3] Paulo Barreto and Michael Naehrig, Pairing-friendly elliptic curves of prime order, Selected Areas in Cryptography, LNCS 3897 (006), [4] Paul Bateman, Roger Horn, A heuristic asymptotic formula concerning the distribution of prime numbers, Mathematics of Computation 6 (96), [5] Dan Boneh and Matt Franlin, Identity-based encryption from the Weil pairing, Advances in Cryptology, LNCS 39 (00), 3-9. [6] John Boxall, Heuristics on pairing-friendly elliptic curves, J. Mathematical Cryptology 6() (0), [7] Friederie Brezing, Annegret Weng, Elliptic curves suitable for pairing based cryptography, Designs, Codes and Cryptography 37 (005), [8] Max Deuring, Die Typen der Multipliatorenringe elliptischer Funtionenörper. Abh. Math. Sem. Hansischen Univ. 4 (94), [9] Robert Dryªo, On constructing families of pairing-friendly curves with variable discriminant, Progress in Cryptology - INDOCRYPT 0, LNCS 707 (0), [0] David Freeman, Michael Scott, Edlyn Tese, A taxonomy of pairing-friendly elliptic curves, J. Cryptology 3 (00), [] Gerhard Frey, Michael Müller and Hans-Georg Rüc, The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems, IEEE Trans. Inform. Theory 45(5) (999),

24 [] Florian Hess, Pairing lattices, Pairing-Based Cryprography - Pairing 008, LNCS 509 (008), [3] Antoine Joux, A one round protocol for tripartite Die-Hellman, Algorithmic Number Theory - ANTS-IV, LNCS 838 (000), [4] Ezeiel Kachisa, Edward Schaefer, Michael Scott, Constructing Brezing-Weng Pairing-Friendly Elliptic Curves Using Elements in the Cyclotomic Field, Pairing-Based Cryptography - Pairing 008, LNCS 509 (008), [5] Serge Lang. Algebra Springer, 3rd edition (00). [6] Alfred Menezes, T. Oamoto, Scott Vanstone, Reducing elliptic curve logarithms to logarithms in a nite eld, IEEE Transactions on Information Theory, 39(5) (993), [7] Alfred Menezes, Elliptic Curve Public Key Cryptosystems, Kluwer Academic Publishers (993). [8] Angela Murphy, Noel Fitzpatric, Elliptic Curves for Pairing Applications, Cryptology epring Archive Report 005/30. [9] A. Miyaji, M. Naabayashi and S. Taano, New explicit conditions of elliptic curve traces for FR-reduction, IEICE Trans. Fundamentals E84 (00), [0] François Morain, Classes d'isomorphismes des courbes elliptiques supersingulières en caracteristique 3, Utilitas Mathematica 5 (997), 4-53,. [] R. Saai, K. Ohgishi, and M. Kasahara, Cryptosystems based on pairing, The 000 Symposium on Cryptography and Information Security - SCIS 000, 6-8. [] Frederi Vercauteren, Optimal pairings, IEEE Transactions on Information Theory 56 (00),