Tate-Lichtenbaum pairing is a nondegenerate bilinear map. eTL r. : A(F)[r] Ã A(F)/rA(F) â Fâ/(Fâ)r. Fâ/(Fâ)r is isomorphic to Âµr( Â¯F) if ...

0 downloads 0 Views 200KB Size

... Force Regulation 159-8. 500 - April 1967 - C0192 - 30-729 ..... coarse carbon at approximately y

Abstract. We present two contributions in this paper. First, we give a quantitative analysis of the scarcity of pairing-friendly genus 2 curves. This result is an improvement relative to prior work which estimated the density of pairing-friendly genus 2 curves heuristically. Second, we present a method for generating pairing-friendly parameters for which ρ ≈ 8, where ρ is a measure of efficiency in pairing-based cryptography. This method works by solving a system of equations given in terms of coefficients of the Frobenius element. The algorithm is easy to understand and implement.

1

Introduction

In order to use the Jacobian variety of a curve over a finite field for discrete logarithm based cryptography, suitable parameters must be chosen, and a curve with those parameters must be found. One such parameter is the underlying finite field Fp over which the curve is defined. Another important parameter is the cardinality N of the group of Fp -rational points on the Jacobian of the curve. For many implementations of discrete logarithm based cryptographic protocols, Fp is a prime field, i.e., p is a prime number, and N is prime number or a prime times a small cofactor, to resist the Pohlig-Hellman attack [19] on the discrete logarithm problem. Pairing-based cryptography poses further restrictions on the curves since in addition a small embedding degree is required. Genus 2 point-counting methods ([12], [10]) choose random curve equations over a finite field and compute the number of points on the Jacobian of the curve until one that is good for discrete logarithm-based cryptography is found. An alternative to point counting is to use the genus 2 Complex Multiplication (CM) algorithm ([24]) to construct curves with a given number of points on its Jacobian. Like the case of the elliptic curve CM method, the genus 2 CM method is very efficient once the class polynomials of the CM field are computed. The hard problem is to find CM fields such that the class polynomials can be computed and such that the order of the Jacobian of the curve N and the embedding degree are suitable. For a history of the genus 2 CM method, the reader can refer to [5]. In brief, the algorithm works as follows: Let K be a quartic CM field with primitive CM type. 1. Find a prime p such that there exists ω ∈ K with ω ω ¯ = p, and an integer N depending on p and OK which will be the group order of the Jacobian of the genus 2 curve having CM by OK . Such p and N can be identified by using a method in [24]. 2. Compute the Igusa class polynomials Hi (x), i = 1, 2, 3 of K. This step can be done using the methods as described in one of [22], [24], [5], [13]. 3. Construct a curve C from a set of roots of Hi (x) over Fp via the Mestre-Cardona-Quer Algorithm [18], [4], and check if the Jacobian of the curve has order N . In practice to use the CM method, the quartic CM field K must have small discriminant. So it is desirable to have algorithms which take as input a given field K, and output good cryptographic parameters p and N for a curve C over Fp with #Jac(C, Fp ) = N , where Jac(C, Fp ) denotes the Fp -rational points of the Jacobian of the curve C. The genus 2 CM method is a useful alternative to point counting, since genus 2 point counting methods are still slow, and the low density of pairing-friendly curves among cryptographically strong ones, as we will see in Section 4, makes it extremely hard to find suitable curves for pairingbased cryptography via point counting. This indicates that the CM method is probably the only suitable method for finding pairing-friendly genus 2 curves currently available. In this paper, we

II

present a method for generating pairing-friendly parameters for the CM construction of genus 2 curves. The rest of the paper is organized as follows: Section 2 reviews related work. Section 3 gives background on CM fields and pairings. Section 4 shows quantitatively the scarcity of pairingfriendly genus 2 curve among all those that are suitable for discrete-logarithm-based cryptography. Sections 5 and 6 propose two methods, without and with polynomial parameterization, for generating pairing-friendly genus 2 curves. Some sample numerical data can be found in the appendices. This paper has been published as part of a PhD thesis [21].

2

Related work

In 2002, Rubin and Silverberg [20] showed that supersingular Jacobians of genus 2 hyperelliptic curves have small embedding degrees (≤ 12). In 2007, Hitt [14] presented, for characteristic 2, the construction of families of genus 2 curves with small embedding degree. Freeman [6] gave a method in 2007 for constructing genus 2 curves with ordinary Jacobians over prime fields, which uses parameterization of the CM fields to obtain conditions that lead to the result, and produces a value ρ ≈ 8.1 In 2008, Kawazoe and Takahashi [16] suggested a way to find pairingfriendly parameters to generate curves of the form y 2 = x5 + ax over Fp for a prime p written as p = c2 + 2d2 , by exploiting the closed formulas for the order of the Jacobian of such curves. This method produces curves with ρ ≤ 4, whose Jacobians are however not absolutely simple. In 2008, Freeman, Stevenhagen and Streng [9] and Freeman [7] proposed methods for generating parameters for more general pairing-friendly ordinary abelian varieties. The former constructs a suitable Frobenius element which leads to a pairing-friendly abelian variety by extending a method of Cocks and Pinch [8]. The latter finds suitable polynomials parameterizing key elements and generates good parameters by evaluating such polynomials at many different input values. When applied to the case of genus 2, [9] produces ρ ≈ 8 and [7] is able to further reduce the value to ρ < 8. Although it is known to some extent (see [11]) that pairing-friendly parameters are very rare, among all the work generating such parameters for genus 2 curves, this is the first paper that analyzes quantitatively how unlikely cryptographically strong pairing-friendly parameters are. The algorithms presented in this paper, together with those in [6], [9], and [7], are the only known methods that generate pairing-friendly parameters for ordinary genus 2 curves over prime fields, which have absolutely simple Jacobians. Unlike [6], we do not need to parameterize the CM field. Our algorithms are also more concrete and more explicit when compared to [9] and [7]. Therefore, these algorithms are easier to understand and implement.

3

Background

3.1

The CM field and the Frobenius element

Let K := Q(η), where

( p √ iq a + b d if d ≡ 2, 3 √ η= −1+ d i a+b 2 if d ≡ 1

(mod 4) (mod 4)

,

√ be a fixed primitive quartic CM field, where d > 0 is squarefree and Q( d) has class number 1. The condition that K is primitive is equivalent to ∆ > 0 is not a square, where ∆ = a2 − b2 d, if d ≡ 2, 3 (mod 4), and ∆ = a2 − a · b − b2 d−1 , if d ≡ 1 (mod 4). We want to construct a genus 4 2 hyperelliptic curve C over a finite field Fp of prime order such that End(Jac(C, Fp )) ⊗ Q = K, 1

The definition of ρ can be found later in Section 5. It is a measure of efficiency in pairing-based cryptography. In general, the smaller ρ is, the more efficient the pairing is for cryptography.

III

and N := #Jac(C, Fp ) is “almost prime”, meaning that N is a product of a large prime number and a small cofactor. If such a curve C is found, then there exists an element, called the Frobenius element, π ∈ √ End(Jac(C, Fp )) that satisfies the condition |π| = p, where |π| is the usual absolute value of the complex number π. Assume for simplicity that the Frobenius element π is in an order ( √ √ Z + dZ√+ ηZ + η dZ √ if d ≡ 2, 3 (mod 4) O := . Z + −1+2 d Z + ηZ + η −1+2 d Z if d ≡ 1 (mod 4) We first look at the case d ≡ 2, 3 (mod 4) and write √ √ π = c1 + c2 d + η(c3 + c4 d),

ci ∈ Z.

The relationship π¯ π = p gives us √ (c21 + c22 d + c23 a + c24 ad + 2c3 c4 bd) + (2c1 c2 + 2c3 c4 a + c23 b + c24 bd) d = p. √ Since 1 and d are linearly independent over Q we must have c21 + c22 d + c23 a + c24 ad + 2c3 c4 bd = p 2c1 c2 + 2c3 c4 a + c23 b + c24 bd = 0

(1) (2)

Let α ¯ and ασ denote the imaginary and real embeddings of K into K. The characteristic polynomial of π is h(x) = (x − π)(x − π ¯ )(x − π σ )(x − π ¯σ )

= x4 − 4c1 x3 + (2p + 4(c21 − c22 d))x2 − 4c1 px + p2

The fact that #JacFp (C) = h(1) gives the condition N = (p + 1)2 − 4(p + 1)c1 + 4(c21 − c22 d).

(3)

We want N to be almost prime, i.e., N = c · r with r prime and c small (say, c < 2000). 1 We have p ∼ N 2 . Based on the discussions above, Weng ([24]) gives a probabilistic method for searching for parameters for discrete logarithm based cryptography, which produces a prime p and an almost prime N . 3.2

Weil and Tate-Lichtenbaum pairings

An excellent survey of the best known implementations of pairings on Jacobians of hyperelliptic curves is given in [1]. In this section we give only some basic information that we need about pairings on general abelian varieties. For an abelian variety A over a finite field F and an integer r coprime to the characteristic of F , the Weil pairing is a nondegenerate, skew-symmetric bilinear map ¯ ¯ ¯ eW r : A(F )[r] × A(F )[r] → µr (F ), where F¯ is an algebraic closure of F and µr (F¯ ) is the group of rth roots of unity in F¯ ; the Tate-Lichtenbaum pairing is a nondegenerate bilinear map eTr L : A(F )[r] × A(F )/rA(F ) → F ∗ /(F ∗ )r . F ∗ /(F ∗ )r is isomorphic to µr (F¯ ) if and only if µr (F¯ ) ⊆ F .

IV

Definition 1 (Embedding degree). Let A be an abelian variety over a finite field F = Fp . Let r be an integer coprime to p which divides #A(F ). The field F (µr (F¯ )) is a finite extension Fpk of F . The number k is called the embedding degree of A with respect to r, and it is the smallest integer such that r|(pk − 1).

We also call the embedding degree of the Jacobian of a nonsingular projective curve C the “embedding degree of the curve C.” For pairing-based cryptography, we need an abelian variety A with #A almost prime, i.e., #A = h · r, where h is a small positive integer and r is a prime number, and the embedding degree k of A with respect to r which is not too large.

Definition 2 (Pairing-friendly abelian variety). Let H and K be positive integers. Let A be an abelian variety over a finite field Fp . We say A is pairing-friendly with respect to parameters H and K if #A = h · r for some positive integer h ≤ H and a prime number r, and the embedding degree k of A with respect to r is no larger than K.

By convention, we call an abelian variety “pairing-friendly” if H and K are “small.” We also say a nonsingular projective curve C is “pairing-friendly” if C has a pairing-friendly Jacobian. We also call the parameters (p, #A) “pairing-friendly”.

4

Pairing-friendly genus 2 curves are rare: a quantitative analysis

In this section, we shall show quantitatively that there are very few pairing-friendly parameters for genus 2 hyperelliptic curves among all possible almost prime group orders for Jacobians of genus 2 hyperelliptic curves over prime fields. Inspired by [2], in which elliptic curves of prime orders over finite fields are considered, we generalize its result to the genus 2 case to also deal with Jacobians of almost prime orders. A heuristic estimation of the density of pairing-friendly genus 2 curves was performed earlier in [11]. Our result shows a more explicit improvement to this prior work. The main result of this section is Theorem 1. Before proving it, we first introduce several lemmas. Let p be an odd prime number, and let log(·) denote the natural logarithm. Let α0 = 4/5. Lemma 1. For positive c, M and a, a ∈ Z, let Sa,c,M denote the set of pairs of primes (x, y) 2 3/2 . Then ∀c, ∀0 < α < α0 ∃M0 (c, α) > 0 such that such that M 2 ≤ x ≤ M and |x − a · y| ≤ c · x α ∀M > M0 (c, α), ∀a < M , we have |Sa,c,M | ≥ c˜ ·

c M 5/2 · a (log M )2

for an effectively computable constant c˜. Proof. Let π(x) be number of primes in the interval [1, x]. Let N = π(M ) − π( M 2 ) be the number 1 M of primes in (M/2, M ]. The Prime Number Theorem (P.N.T.) implies N > 3 · log M when M > M1 for some M1 > 0. By a result of Huxley [15] (suggested by Igor Shparlinski), we have π(A) − π(A − B) ∼

B log A

(AΘ < B <

1 A), 2

(4)

for any constant Θ > 7/12. 2 Now let p be a prime number in (M/2, M ]. We look at the number of primes y such that p − a · y ≤ c · p3/2 , i.e., 1 p2 − c · p3/2 ≤ y ≤ 1 p2 + c · p3/2 . Denote this number by Np . a a Let c be fixed. In (4), let A = 1/a · p2 and B = c/a · p3/2 . Let M2 (c, α) = 8c2 . Then it is clear that B < 21 A for M/2 ≤ p ≤ M , when M > M2 (c, α). For 0 < α < α0 , write α = (3/2 − 2θ − ǫ)/(1 − θ), where 7/12 < θ < 3/4, and ǫ > 0 are constant (this can always be done for such a constant α). Note that Aθ < B ⇐⇒ a1−θ < c · p3/2−2θ . Let 1/ǫ M (c, α) = (23/2 − 2θ)/c . Then ∀M > M (c, α), M/2 ≤ p ≤ M , and a < M α , we have 3

3

c·p

3/2−2θ

≥ c(M/2)3/2−2θ ,

a1−θ ≤ (M α )1−θ = M 3/2−2θ−ǫ .

V

Note that 1/ǫ M > M3 (c, α) ⇐⇒ M > (23/2−2θ )/c ⇐⇒ c · M ǫ > 23/2−2θ

⇐⇒ c(M/2)3/2−2θ > M 3/2−2θ−ǫ .

It implies c · p3/2−2θ > a1−θ , and thus B > Aθ . Let M4 (c, α) > max{M2 (c, α), M3 (c, α)} be large enough such that (4) holds with 1 1 2 c/a · p3/2 1 2 > · p − c · p3/2 ·p −π , π a a 2 log(1/a · p2 ) for all M > M4 (c, α), M/2 ≤ p ≤ M . Let M > M4 (c, α), M/2 ≤ p ≤ M , and a < M α . We have 1 2 1 2 3/2 3/2 −π p +c·p p −c·p Np ≥ π a a 1 2 1 2 p − c · p3/2 ·p −π >π a a >

1 c/a · p3/2 · 2 log(1/a · p2 )

>

1 c/a · (M/2)3/2 · 2 2 log(M )

>

1 c M 3/2 · · . 12 a log M

Note that the value p does not appear in the resulting inequality above. Let M0 (c) = max{M1 , M4 (c)}. When M > M0 (c), a < M α , summing over all suitable primes p, M/2 ≤ p ≤ M , we obtain |Sa,c,M | =

M 2

X

5

≤p≤M p prime

Np ≥

1 c M 3/2 1 M 1 c M2 · · · · = · · . 12 a log M 3 log M 36 a (log M )2

Let c˜ = 1/36. Then the result follows.

⊓ ⊔

Remark 1. If the Riemann Hypothesis is true, then the constant α0 in Lemma 1 can be relaxed to α0 = 1. Remark 2. If we take a = 1, the result of Lemma 1 is comparable to the heuristic result in [11] (estimate of the volume of S in Section 4.2 of [11]). Lemma 2. For positive K, M and a, K ∈ Z, a ∈ Z, let Ta,M,K denote the set of pairs of 2 3/2 and y|(xk − 1) for some k ≤ K. Then primes (x, y) such that M 2 ≤ x ≤ M , |x − a · y| ≤ 5x 1 |Ta,M,K | < 4 M K(K + 1) log M .

Proof. For every integer x with M/2 ≤ x ≤ M , let Bx be the set of primes y such that y|(xk − 1) for some integer k with 0 < k ≤ K. Since xk − 1 has fewer than log(xk ) distinct prime divisors, we have Bx <

K X

k=1

k log x ≤

1 K(K + 1) log x. 2

Summing over all such integer x and note that M 2 ≤ x ≤ M , we have X 1 |Ta,M,K | ≤ |Bx | < M K(K + 1) log M. 4 M/2

⊓ ⊔

VI

Remark 3. It is worth noting that the result in Lemma 2 does not require M to be large. Igor Shparlinski pointed out that the result of Lemma 2 can be further improved to |Ta,M,K | = O(M K 2 / log M ) when M is large and a < M α , α > 0, by noting that when the prime y is close to x2 /a, the number of y such that y|(xk − 1) is at most about k/(2 − α) and that there are O(M/ log M ) primes x in the interval [M/2, M ]. When 0 < α < 1, this improved result can be written as |Ta,M,K | <

1 M K 2 / log M. 2

(5)

Remark 4. It is possible that the result of (5) may be further refined to be closer to the heuristic result in [11] (the estimate of the volume of S ′ in Section 4.2 of [11]). However, such a refinement would likely require techniques different from those used in the proof of Lemma 2. Lemma 3. Let c, H, M and K be positive, K ∈ Z. Let SeH,c,M denote the set of pairs of primes 2 3/2 for some ≤ H. Let TeH,M,K (x, y) such that M 2 ≤ x ≤ M and x − a · y ≤ c · x 2 a ∈ Z, 1 ≤ a3/2 M denote the set of pairs of primes (x, y) such that 2 ≤ x ≤ M , x − a · y ≤ 5x for some a ∈ Z, 1 ≤ a ≤ H, and y|(xk − 1) for some k ≤ K. Then for any c > 0, for any 0 < α < α0 , when M is sufficiently large and H < M α , we have TeH,M,K H · K 2 · log M < c′ c · M 3/2 SeH,c,M

for an effectively computable positive constant c′ . A possible choice of such a constant is c′ = 18. Proof. Let a be an integer such that 1 ≤ a ≤ H. By Lemma 1 and Remark 3, when M is sufficiently large, we have 1/2 · M K 2 / log M Ta,M,K < 5 Sa,c,M c M2 1 · · 36 a (log M )2

a · K 2 · log M c · M 3/2 H · K 2 · log M < 18 · . c · M 3/2 X and SeH,c,M = Sa,c,M . Hence we have < 18 ·

Note that TeH,M,K =

X

1≤a≤H

for large M and H < M α .

Ta,M,K

1≤a≤H

H · K 2 · log M TeH,M,K < 18 · c · M 3/2 SeH,c,M

⊓ ⊔

Theorem 1. Let H and K be positive integers. Let α be any constant such that 0 < α < α0 . Let (p, N ) be a randomly (w.r.t. uniform distribution) chosen pair in which p is a prime in the interval [M 2 , M ] and N is the group order of the Jacobian of a genus 2 curve C defined over Fp such that N = #Jac(C, Fp ) = h · r, with h ∈ Z, 1 ≤ h ≤ H < M α , and r prime. For M large enough, the probability that (p, N ) is pairing-friendly with respect to parameters H and K is less than c′′

H · K 2 · log M M 3/2

for an effectively computable positive constant c′′ .

VII

Proof. The Riemann Hypothesis for abelian varieties over finite fields, proved by Weil in [23], implies the Hasse-Weil bound for genus 2 curves, i.e., √ √ #Jac(C, Fp ) ∈ ( p − 1)4 , ( p + 1)4 . For p large enough, we have #Jac(C, Fp ) ∈ p2 − 5p3/2 , p2 + 5p3/2 . Let c = 1/9. By Proposition 2 2.4 of [17], almost all integers z ∈ p − cp3/2 , p2 + cp3/2 can be assumed to be the cardinality of the Jacobian of a genus 2 hyperelliptic curve (given by a quintic or sextic polynomial) over Fp . In Lemma 3, let c = 1/9, x = p, y = r and a = h. The conclusion then follows, observing that c = 1/9 is small enough so that the total number of pairs (p, N ) in the statement of Theorem 1 is strictly larger than SeH,c,M . Note that we can choose c′′ = 10c′ , where c′ is the constant from Lemma 3. ⊓ ⊔ Theorem 1 says there are very few pairing-friendly parameters for genus 2 hyperelliptic curves when H and K are much smaller than p.

5

Algorithms for generating pairing-friendly genus 2 curves over prime fields

Let k be a desired embedding degree. Let C be a genus 2 hyperelliptic curve defined over a finite field Fp whose Jacobian over Fp has a subgroup of order r such that Jac(C, Fp ) has embedding degree k with respect to r. The ratio of the bit length of #Jac(C, Fp ) to the bit length of r is a good measure of efficiency in pairing-based cryptography. Define ρ = 2 log(p)/ log(r). In many pairing-based cryptographic applications, we prefer this value to be close to 1. In [6], a method to generate genus 2 curves with ordinary Jacobians over prime fields with low embedding degrees is proposed. An important part of this method is a parameterization of the CM field. The method generates curves with value ρ ≈ 8. We propose another way of generating good parameters, without parameterizing the CM field, which gives a similar ρ value. Let K := Q(η) be a fixed quartic CM field. We want to construct a genus 2 hyperelliptic curve C over a prime field Fp such that Jac(C, Fp ) has CM by K, and such that Jac(C, Fp ) has a subgroup of prime order r, and Jac(C, Fp ) has a prescribed embedding degree k with respect to r. For cryptographic applications, we need p and r to be large. We will present the algorithm for the case d ≡ 2, 3 (mod 4) in this paper, where d is as defined in Section 3.1. The case d ≡ 1 (mod 4) can be treated similarly. In the case d ≡ 2, 3 (mod 4), such a curve can be constructed if we can find a simultaneous integral solution (c1 , c2 , c3 , c4 , p, r), in which p and r are large prime numbers, to the following system of equations: c21 + c22 d + c23 a + c24 ad + 2c3 c4 bd = (p +

2c1 c2 + 2c3 c4 a + c23 b 1)2 − 4c1 (p + 1) + 4(c21

+ c24 bd − dc22 )

p

(6)

0

(7)

0 (mod r)

(8)

0

(9)

= ≡

Φk (p) ≡

(mod r).

Here a, b, d and k are fixed, and Φk (x) is the k th cyclotomic polynomial. Equations (6) and (7) mean that the prime p corresponds to a good Weil number, as discussed in Section 3.1. Equation (8) ensures that the Jacobian has a subgroup of prime order r. Equation (9) guarantees that the Jacobian of the curve the embedding degree with respect to r is at most k. Note that Equation 9 implies pk ≡ 1 (mod r). Given that pr−1 ≡ 1 (mod r), we must have k|(r −1), i.e., r ≡ 1 (mod k). Theorem 2. If (c1 , c2 , c3 , c4 , p, r) is returned by Algorithm 1, then it provides a solution to the system of equations (6), (7), (8), (9).

VIII

Algorithm 1 Generating pairing parameters for K = Q(η), d ≡ 2, 3 (mod 4)

Require: Integers a, b, d with d > 0 squarefree, d ≡ 2, 3 (mod 4), a2 − b2 d > 0 not a square; a prescribed embedding degree k; a bit size n of the desired subgroup order; maximum numbers of trials, M1 and M2 . Ensure: Integers c1 , c2 , c3 , c4 , prime numbers p and r, where r has n bits, satisfying Equations (6), (7), (8), (9); or “Not found.” 1: Let c1 = ±1. 2: repeat 3: Choose a prime number r of n bits such that r ≡ 1 (mod k). 4: With c1 fixed as above, try to solve the system of equations given by (6), (7), (8), (9) over the finite field Fr for a simultaneous solution (¯ c2 , c¯3 , c¯4 , p¯). 5: if such a solution exists then 6: repeat 7: Choose lifts c3 and c4 of c¯3 and c¯4 to Z such that f := bc23 + 2ac3 c4 + bdc24 is even. Set c2 = −c1 f /2. 8: Let p = ac23 + 2bdc3 c4 + 2adc24 + 1 + dc22 . 9: if p is prime then 10: Return (c1 , c2 , c3 , c4 , p, r). 11: end if 12: until Lines 7 through 11 have been tried M2 times. 13: end if 14: until M1 primes r have been tried. 15: Return “Not found.”

Proof. It is clear that if (c1 , c2 , c3 , c4 , p, r) is returned, then Equations (8) and (9) are automatically satisfied. Equations (6) and (7) are satisfied by the constructions in Step 7 and 8. Step 9 ensures that p is prime. ⊓ ⊔ Depending on p and OK , there are 2 or 4 possibilities for the group order #Jac(C, Fq ) [24] [5]. However, for a demonstration purpose, in the algorithm above we are only interested in curves C whose Jacobian has exact group order given by N = (p + 1)2 − 4c1 (p + 1) + 4(c21 − dc22 ). Algorithm 1 looks difficult to analyze because we do not know how likely it is that a solution is found in Step 4. However, experimental results show that the algorithm returns valid parameters quickly and with high probability. Example 1. Using Algorithm 1 in the case of a = 2, b = −1, d = 2, some suitable pairing parameters are found in Appendix A, where r are 160, 256, 512 and 1024 bits, respectively. The computations were performed by the computer algebra system MAGMA [3]. Note that p √ K = Q(i 2 − 2) 6= Q(ζ5 ) is Galois, so there are only two possibilities for the group order #Jac(C, Fp ) [24], namely, N1 = (p + 1)2 − 4c1 (p + 1) + 4(c21 − dc22 ), or the group order for a quadratic twist of the curve: N2 = 2(p + 1)2 + 8(c21 − c22 d) − N1 .

6

Generating parameters with polynomial parameterization of coefficients ci

The parameter c1 produced by Algorithm 1 is always ±1 and the size of c2 dominates that of c1 , c3 and c4 . In fact, this is not necessary. We can modify the search method using the idea of

IX

Algorithm 2 Generating pairing parameters for K = Q(η), d ≡ 2, 3 (mod 4) with polynomial parameterization Require: Integers a, b, d with d > 0 squarefree, d ≡ 2, 3 (mod 4), a2 − b2 d > 0 not a square; a prescribed embedding degree k; a bit size n of the desired subgroup order; maximum numbers of trials, M1 and M2 . Ensure: Integers c1 , c2 , c3 , c4 , prime numbers p and r, where r has n bits, satisfying Equations (6), (7), (8), (9); or “Not found.” 1: Choose degree 2 bivariate polynomials C3 (x, y) and C4 (x, y) ∈ Z[x, y] such that there is a factorization in Z[x, y] bC32 + 2aC3 C4 + bdC42 = U · V, where U and V are bivariate polynomials of degree 2. Let C1 (x, y) = U (x, y) and C2 (x, y) = − 21 V (x, y). 2: repeat 3: Choose a prime number r of n bits such that r ≡ 1 (mod k). 4: Try to solve the system of equations given by (7), (8), (9), with ci replaced by Ci (x, y), i = 1, 2, 3, 4, over the finite field Fr for a simultaneous solution (¯ x, y¯, p¯). 5: if Such a solution exists then 6: repeat 7: Choose lifts x and y of x ¯ and y¯ to Z such that ci := Ci (x, y), i = 1, 2, 3, 4 are all integers. Let p = ac23 + 2bdc3 c4 + 2adc24 + c21 + dc22 . 8: if p is prime then 9: Return (c1 , c2 , c3 , c4 , p, r). 10: end if 11: until Lines 7 through 10 have been tried M2 times. 12: end if 13: until M1 primes r have been tried. 14: Return “Not found.”

polynomial parameterization and produce pairing parameters with c1 , c2 , c3 and c4 roughly of the same size. The algorithm is stated as Algorithm 2. Similarly to Theorem 2, we have Theorem 3. If (c1 , c2 , c3 , c4 , p, r) is returned by Algorithm 2, then it provides a solution to the system of equations (6), (7), (8), (9). In Algorithm 2, it is clear that we need gcd(C1 , C2 , C3 , C4 ) = 1 ∈ Z[x, y] so that a prime p can be found.

Example 2. Let C3 (x, y) = C4 (x, y) = xy, C1 (x, y) = x2 and C2 (x, y) = −(a + b(1 + d)/2)y 2 . Then they satisfy bC32 + 2aC3 C4 +pbdC42 + 2C1 C2 = 0. Using these polynomials in the above algorithm, √ we have found for K = Q(i 2 − 2) (i.e., a = 2, b = −1, d = 2) parameters in which r are 160, 256, 512 and 1024 bits, respectively. Some of these parameters are presented in Appendix B.

Since x and y are roughly the same size as r, the value of p obtained by this method is ≈ r4 . It is thus a natural thought that if we parameterize the polynomials Ci (x, y) with degree 1 polynomials in Z[x, y], then the size of p may be reduced to ≈ r2 . Unfortunately, the following Proposition 1 shows that such parameterizations will not succeed in achieving this goal. Proposition 1. Let a, b, d be integers such that d is squarefree and a2 − b2 d > 0 is not a square. Let f (X, Y ) = bX 2 + 2aXY + bdY 2 be a bivariate polynomial in Q[X, Y ]. Let F, G be polynomials of total degree 1 in Q[X1 , X2 , . . . , Xn ] such that F and G are not associated with one another. Then f (F, G) is irreducible in Q[X1 , X2 , . . . , Xn ]. 2 2 Proof. First we note that b 6= 0, as √ indicated by the condition √ that a − b d > 0 is not a square. Let D = a2 − b2 d. Let α = −a/b + D/b and β = −a/b − D/b. Then f (X, Y ) can be factored ¯ as over Q f (X, Y ) = bX 2 + 2aXY + bdY 2 = b(X − αY )(X − βY ),

X

¯ is an algebraic closure of Q. where Q Let F and G be polynomials of total degree 1 in Q[X1 , X2 , . . . , Xn ]. Write F (X1 , X2 , . . . , Xn ) = G(X1 , X2 , . . . , Xn ) =

n X

i=1 n X

f i Xi + f 0 , g i Xi + g 0 ,

i=1

where fi , gi ∈ Q. Suppose f (F, G) is reducible in Q[X1 , X2 , . . . , Xn ]. Then we can write f (F, G) = bH1 · H2 , Pn (j) (j) where Hj = i=1 hi Xi + h0 ∈ Q[X1 , X2 , . . . , Xn ], j = 1, 2, both of total degree 1. Now we have b(F − αG)(F − βG) = f (F, G) = bH1 · H2 .

√ Note that Q( D)[X1 , X2 , . . . , Xn ] is a unique factorization domain. Because F − αG, F − βG, H1 and H2 are of degree 1, they are irreducible. without of loss of generality, we may assume F − αG = γH1 ,

(10)

√ √ for some γ ∈ Q( D)× . We can write γ = s+t D with s, t ∈√Q and t 6= 0. Here we require t 6= 0 as the polynomial on the left hand side of Equation (10) is in Q( D)[X1 , X2 , . . . , Xn ]\Q[X1 , X2 , . . . , Xn ]. Equation (10) gives √ √ F − (−a/b + D/b)G = (s + t D)H1 . Equating the coefficients of Xi and the constant terms on both sides of the above equation, we obtain √ √ (1) (1) fi + (a/b)gi + (gi /b) D = s · hi + t · hi D, 0 ≤ i ≤ n. This in turn gives (1)

(11)

(1) hi .

(12)

fi + (a/b)gi = s · hi , gi /b = t · (1)

If gi = 0 for some i, we must have hi = 0 by (12), which again implies fi = 0 by (11). Otherwise, if gi 6= 0, we can divide both sides of (11) and (12) to obtain b(fi /gi ) = s/t, thus fi /gi = s/(b · t). Therefore, for all 0 ≤ i ≤ n, we have fi = c · gi , where the constant c = s/(b · t) ∈ Q. Hence F = c · G, i.e., F and G are associated. ⊓ ⊔ An alternative way to do polynomial parameterization in Step 1 of Algorithm 2 is to use degree 1 and degree 2 polynomials for C3 (x, y) and C4 (x, y). This will produce different kinds of ci ’s, but the resulting ρ value is still approximately 8 in general. On-going research is aiming at reducing further the value of ρ.

XI

Acknowledgements The authors would like to thank Igor Shparlinski and Sam Wagstaff, Jr. for their valuable comments.

References 1. J. Balakrishnan, J. Belding, S. Chisholm, K. Eisentr¨ ager, K. Stange, and E. Teske. Pairings on hyperelliptic curves. http://arxiv.org/PS cache/arxiv/pdf/0908/0908.3731v2.pdf. 2. R. Balasubramanian and N. Koblitz. The improbability that an elliptic curve has subexponential discrete log problem under the Menezes-Okamoto-Vanstone algorithm. Journal of Cryptology, 11(2):141– 145, 1998. 3. W. Bosma, J. Cannon, and C. Playoust. The MAGMA algebra system I: the user language. J. Symb. Comput., 24(3-4):235–265, 1997. 4. G. Cardona and J. Quer. Field of moduli and field of definition for curves of genus 2. In Computational aspects of algebraic curves, volume 13, pages 71–83, 2005. 5. K. Eisentr¨ ager and K. Lauter. A CRT algorithm for constructing genus 2 curves over finite fields. In Arithmetic, Geometry and Coding Theory (AGCT), S´eminaires et Congr´es 21 (2009), pages 161–176, 2005. 6. D. Freeman. Constructing pairing-friendly genus 2 curves over prime fields with ordinary Jacobians. In Proceedings of Pairing-Based Cryptography (Pairing 2007), volume 4575 of LNCS, pages 152–176. Springer, 2007. 7. D. Freeman. A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties. In Steven Galbraith and Kenneth Paterson, editors, Pairing-Based Cryptography Pairing 2008, volume 5209 of Lecture Notes in Computer Science, pages 146–163. Springer Berlin / Heidelberg, 2008. 8. D. Freeman, M. Scott, and E. Teske. A taxonomy of pairing-friendly elliptic curves. Journal of Cryptology, 23:224–280, 2010. 9. D. Freeman, P. Stevenhagen, and M. Streng. Abelian varieties with prescribed embedding degree. In Algorithmic Number Theory VIII, pages 60–73, 2008. 10. E. Furukawa, M. Kawazoe, and T. Takahashi. Counting points for hyperelliptic curves of type y 2 = x5 + ax over finite prime fields. In Mitsuru Matsui and Robert Zuccherato, editors, Selected Areas in Cryptography, volume 3006 of Lecture Notes in Computer Science, pages 26–41. Springer Berlin / Heidelberg, 2004. 11. S.D. Galbraith, J.F. McKee, and P.C. Valenca. Ordinary abelian varieties having small embedding degree. Finite Fields and Their Applications, 13(4):800–814, 2007. 12. P. Gaudry and R. Harley. Counting points on hyperelliptic curves over finite fields. In Wieb Bosma, editor, Algorithmic Number Theory, volume 1838 of Lecture Notes in Computer Science, pages 313– 332. Springer Berlin / Heidelberg, 2000. 13. P. Gaudry, T. Houtmann, D. Kohel, C. Ritzenthaler, and A. Weng. The 2-adic CM method for genus 2 curves with application to cryptography. In Xuejia Lai and Kefei Chen, editors, Advances in Cryptology ASIACRYPT 2006, volume 4284 of Lecture Notes in Computer Science, pages 114–129. Springer Berlin / Heidelberg, 2006. 14. L. Hitt. Families of genus 2 curves with small embedding degree. Cryptology ePrint Archive, Report 2007/001, 2007. 15. M. N. Huxley. On the difference between consecutive primes. Inventiones Mathematicae, 15:164–170, 1971. 16. M. Kawazoe and T. Takahashi. Pairing-friendly hyperelliptic curves of type y 2 = x5 +ax. In Symposium on Cryptography and Information Security (SCIS), 2008. 17. H.W. Lenstra, Jr, J. Pila, and C. Pomerance. A hyperelliptic smoothness test, II. Proc. London Math. Soc., 84(1):105–146, 2002. 18. J-F Mestre. Construction de courbes de genre 2 ` a partir de leurs modules. (Construction of genus 2 curves starting from their moduli). Effective methods in algebraic geometry, Proc. Symp., Castiglioncello/Italy 1990, Prog. Math. 94, 313-334 (1991)., 1991. 19. S. Pohlig and M. Hellman. An improved algorithm for computing logarithms over GF (p) and its cryptographic significance. IEEE Trans. Information Theory, 24:106–110, 1978. 20. K. Rubin and A. Silverberg. Supersingular abelian varieties in cryptology. In Moti Yung, editor, Advances in Cryptology - CRYPTO 2002, volume 2442 of Lecture Notes in Computer Science, pages 336–353. Springer Berlin / Heidelberg, 2002.

XII 21. N. Shang. Low genus algebraic curves in cryptography. PhD thesis, Purdue University, West Lafayette, USA, January 2009. Available at https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/ 2009-07.pdf. 22. P. Van Wamelen. Examples of genus two CM curves defined over the rationals. Mathematics of Computation, 68(225):307–320, 1999. 23. A. Weil. Vari´et´es Ab´eliennes et Courbes Alg´ebriques. Paris, Hermann, 1948. 24. A. Weng. Constructing hyperelliptic curves of genus 2 suitable for cryptography. Mathematics of Computation, 72(241):435–458, 2002.

A

Parameters produced by Algorithm 1

p √ Here are some parameters found by Algorithm 1 for the CM field K = Q i 2 − 2 and embedding degree k = 5. Corresponding to this CM field there is a genus 2 curve defined over the rationals [22]. C : y 2 = −x5 + 3x4 + 2x3 − 6x2 − 3x + 1. The curves over prime fields corresponding to these parameters are either C reduced modulo p, or its quadratic twist C ′ . On average, a MAGMA script found one set of parameters with r = 160, 256, 512 and 1024 bits in 0.0918, 0.3486, 2.9938, and 46.5615 seconds, respectively. The computations were performed on an AMD Quad-Core Opteron(TM) 2.4GHz computer running Linux kernel release 2.6.9-34.0.1.ELsmp; only one processor was used for computation. r : 160 bits. k = 5. p = 252823257935282285362732638695054084330470208363294037922085422639242 9740214286170166852568584783960631710497763211466425437626783979662947366 79271737114219377482492730434694368080216503567747137 r = 1461501637330902918203684832716283019655932544881 N = 639195997530102770743719375835116542403184563967996666440138384615623 1104135942006766949461178052253303126123108270449109818252877992852236693 9854055782191379965677314562703378699008278543675026648680068400692359055 6954728131135395897277972576354640367835735384699586219721088378014250469 0516520543753456431447895666619342429338048350855555475511765095933553626 5110336972288875552378947584 c1 = 1 c2 = 11243292621276079848206331730630023731174251699959569954973786 210137165821520551831056883188430192 c3 = −64248144848395594424557829122788871673183688623832 c4 = −109802017909327381229794505154259988889529711346380 ρ ≈ 8.072 The equation of the curve over Fp is y 2 = −x5 + 3x4 + 2x3 − 6x2 − 3x + 1. r : 256 bits. k = 5. p = 704881071480907162078296670102869074389758456316878620976045254499487 7530570186125117122017350141805247723779624730169393101671127446215490847 0128180097731192247524353202667866344441677798408664226182036087805320910 7260269920646366156330351242218700528276622717003991911130319025660067745 840160149952389932917329 r = 115792089237316195423570985008687907853269984665640564039457584007913 129642241 N = 496857324932071752145912383893889169489835622033784989598880614229969 9600573805281453411826215444363606741797229694154849558866843478727700264 1105324414001856604997470007681554137437103159261172089255501470358581691 0913734818476522890003367060634939104658599174570132609823174216276573137

XIII

8669572028319853268929729746434758497120580756345226145068054586116990212 0443929992312351457834418288528071757692892289663780177801079095634553929 6480701514721219823943376856364544844490404257431312550838391605233331165 2091324748046447124154493757683497657698145122503447211715505414438313883 50786300229054528190120614531020814267875552 c1 = 1 c2 = −5936670242993572074752240216934048675593535867493623642911929101631 1737731409117467973049416437737755512483626195984512654911475975189673396 5375133869149502 c3 = −3548809313566683873624287099133190257445712680595264225876058829990 309058529874 c4 = −5936979480813871848895779658124341164096655715011808647348987318596 163181064168 ρ ≈ 8.093 The equation of the curve over Fp is y 2 = 3(−x5 + 3x4 + 2x3 − 6x2 − 3x + 1).

B

Parameters produced by Algorithm 2

p √ Below are some examples of the parameters found by Algorithm 2 for K = Q(i 2 − 2) and embedding degree k = 3. Here, we choose C3 (x, y) = C4 (x, y) = xy, C1 (x, y) = x2 and C2 (x, y) = −(a + b(1 + d)/2)y 2 in Step 1 of Algorithm 2. On average, our MAGMA implementation found one set of parameters with r = 160, 256, 512 and 1024 bits in 0.1092, 0.4468, 4.1718, and 50.0140 seconds, respectively. The computations were performed on an AMD Quad-Core Opteron(TM) 2.4GHz computer running Linux kernel release 2.6.9-34.0.1.ELsmp; only one processor was used for computation. r : 160 bits. k = 3. p = 276032206782791857604308501919988591136740885931343898740256384866241 6467553702979623124723634053832810065253894017495098779682257468497626596 054621968600128109029276968729859800558964868162387810481 r = 1461501637330902918203684832716283019655932543447 N = 761937791813779631994733941106633708154739036303135746201414612683681 3740229511268625176061099440881442259428060861564412453929893287845956340 3416154738013818777886228088337842186582031203981403522971082031628644450 8345243160595796537771020027471372909123195630278485253513049270650615256 4351364423861208959016750122994621253699118662098804381727358336213778156 291342604171682918546278978314937568 c1 = 853413751674246325960655910542033278192644078137851807206531855460335 897482560901762777003565546321 c2 = −467312771754171603865894820458465529298297100229438686497717835334 951148694691783854304471959958498 c3 = c4 = −89309702244271126870314830090645570026648145619900427099516737 4051672546438742749426798352836518846 ρ ≈ 8.2401 The equation of the curve over Fp is y 2 = 3(−x5 + 3x4 + 2x3 − 6x2 − 3x + 1). r : 256 bits. k = 3. p = 822920761971611209794051125149779261868007917105814333422807428702492 4832300832671377221070075398952222821601421270215446432556547906612969293 7035389322967570019147721601855015109361465658238392802910598977307884581 9669931262786638243789783462295242237448794562285423898483720827257224421 582887155754347373346337

XIV

r = 115792089237316195423570985008687907853269984665640564039457584007913 129640743 N = 677198580483937194263730753359784807376570572162519246889869342280825 3032215444487859365278749079347589549730845666733117453777198238279219494 5280678988988024443378725219717152986643553771096267443036427016707389095 7249248397038280644492111218229707870352901997265602267012008190367799204 2490892895555013596712575651692176016210908268738361775620639618631060792 5033229572686474111206272193416927126310352656009315433216497023049930883 5373318602217711383763542668793170469526104112283163915538814071400367342 3775883028281057290061738442630720051414075948315034087299281022702814170 14852155526683323382176465726972979082574048 c1 = 899567387391479217381476947274351584712780874649839002409060884043691 7034478629557785770257234423972877031276763948663931761267676699233257997 62748414274889 c2 = −379916236281151103764633380973143102421074912906860994641809351833 4237736166615736185164181781338965280295434753862169111244409012722954687 785372266393538 c3 = c4 = 8267529934618186873729771614246762778267959823408343148411442228 8087906493405752740627824201485645210824879536505195273507388849360615838 257032702979376742 ρ = 8.0950 The equation of the curve over Fp is y 2 = −x5 + 3x4 + 2x3 − 6x2 − 3x + 1.