1 Introduction
For a prime q, let E/𝔽q be an ordinary elliptic curve with Frobenius trace t=q+1-#E(𝔽q), where E(𝔽q) is the group of 𝔽q-rational points, for which #E(𝔽q)≈q. Let E[r] be the r-torsion group of E/𝔽q, for some r∈ℤ>0, containing all points of E(𝔽¯q) with order r. Define also the CM discriminantD>0 of the curve E/𝔽q as the square-free integer satisfying the CM equationDy2=4q-t2, for some y∈ℤ.
An asymmetric pairing on an ordinary elliptic curve E/𝔽q is a bilinear, non-degenerate, efficiently computable map of the form e^:𝔾1×𝔾2→𝔾T, where 𝔾1,𝔾2⊂E(𝔽q) and 𝔾T⊂𝔽qk* such that #𝔾1=#𝔾2=#𝔾T=r, for some prime r. The positive integer k is called the embedding degree of the curve E/𝔽q and it is the smallest integer, such that E[r]⊆E(𝔽qk). In pairing-based applications, the elliptic curves are chosen such that the following conditions are satisfied:
The order of the curve is #E(𝔽q)=hr, for a small cofactorh≥1 and a large prime r.
The ρ-value of the curve, defined as ρ=logqlogr is close to 1, hence logq≈logr.
The prime r must be large enough, so that the DLP in 𝔾1 and 𝔾2 is computationally hard.
The embedding degree k is large enough, so that the DLP in the extension field 𝔽qk, and hence in 𝔾T, is approximately as hard as in 𝔾1,𝔾2.
The embedding degree k is small enough, for efficient operations in 𝔾T.
The sizes of r and qk provide at least an 128-bit security level, corresponding to an AES symmetric key, in the source groups 𝔾1,𝔾2 and the target group 𝔾T.
An elliptic curve E/𝔽q with embedding degree k satisfying these properties is called pairing-friendly.
Our purpose is to determine pairing-friendly elliptic curve parameters (q,t,r) satisfying the above conditions. There are two basic strategies for finding such triples, namely the Cocks–Pinch method [10] and the Dupont–Enge–Morain (DEM) method [5]. In both cases the trace of Frobenius t is set as the lift of some integer in (ℤ/rℤ)*. Therefore, t has approximately the same size as r, which in turn implies that the generic ρ-value is ρ≈2 in both methods. Such choices of parameters do not lead to efficient pairing computations, when considering the most well-known variants of the Tate pairing, namely the Ate and twisted-Ate asymmetric pairings. This problem can be avoided by representing the elliptic curve parameters (q,t,r) as polynomial families(q(x),t(x),r(x)) in ℚ[x]. There are three types of polynomial families depending on the form of the CM polynomialf(x)=4q(x)-t(x)2, which is the right-hand side of the CM equation expressed in polynomial terms.
Definition 1 ([3]).
A polynomial family (q(x),t(x),r(x)) is complete if there exists a y(x)∈ℚ[x] such that f(x)=Dy(x)2, for some square-free D>0. If f(x)=g(x)y(x)2, for some g(x)∈ℚ[x] with degg=1, the family is complete with variable discriminant, and if g(x) is quadratic, not a perfect square, with positive leading coefficient (i.e. lc(g)>0), the family is sparse.
When using polynomial families (q(x),t(x),r(x)), we can generate pairing-friendly triples by evaluating these polynomials at some x0∈ℤ such that q(x0) and r(x0) are both primes and 4q(x0)-t(x0)2=Dy2, for some square-free D>0 and some y∈ℤ. With this notation, t(x0) is the Frobenius trace, q(x0) is the base field prime and r(x0) is the prime dividing the order of the curve. The most well-known method for constructing polynomial families is the Brezing–Weng method [2]. This is an extension of the Cocks–Pinch method, but now operations are performed in the polynomial field ℚ[x]/〈r(x)〉. In this case the size of the Frobenius trace t(x0) is smaller than the size of r(x0). More precisely, we obtain logt(x0)=dlogr(x0), where d=1degr in the best case and d=1-1degr in the worst case. This has several advantages compared to the Cocks–Pinch and DEM methods, implying that we can exploit the efficient Ate and twisted-Ate pairing computations when defined on Brezing–Weng elliptic curves.
Freeman, Scott and Teske [10] suggested that for pairing applications, the sizes of curve parameters should be selected according to Table 1.
The complexity of the DLP in the r-order subgroups 𝔾1,𝔾2⊂E(𝔽q) is O(r) (Pollard’s rho method). For the DLP in finite field extensions 𝔽qk there has been recently a progress on the tower number field sieve (TNFS) method [13, 16] that affects its complexity when k is composite. These new improvements imply that when k is prime, we can follow the recommendations of Table 1 for selecting curve parameters, but when k is composite, Table 1 should be updated.
Table 1
Bit size of elliptic curve parameters and embedding degrees for various security levels.
| | | Embedding degree |
| Security level | Subgroup size | Extension field size | ρ≈1 | ρ≈2 |
| 128 | 256 | 3,000–5,000 | 12–20 | 6–10 |
| 192 | 384 | 8,000–10,000 | 20–26 | 10–13 |
| 256 | 512 | 14,000–18,000 | 28–36 | 14–18 |
Complete families are studied in [1, 2, 12, 23, 24] and they are attractive for applications due to their small CM discriminant. However, in [6] it is recommended to use curves with large discriminant to avoid various attacks on the DLP. This is achieved by the other two types. Complete families with variable discriminant are studied in [3, 10, 14]. Sparse families for k=3,4,6 are constructed in [4, 7, 11, 17, 21], but offer a low security level of 80-bits. Consequently, we need to search for sparse families with k∉{3,4,6} and so far there are only few such examples in the literature. The first is due to Freeman for k=10 and ρ=1. There are also two examples for k=8,12 and ρ≈1.5 presented in [3], while in [8] we introduced sparse families for k=5,10 with ρ≈1.5.
In this paper we focus on the construction of sparse families for various embedding degrees. Particularly our contribution is threefold.
We propose a method for producing sparse families with for any k that combines previous work presented in [3, 14]. Firstly, we apply Lee–Park’s method [14] in order to determine polynomials r(x), t(x) and then Dryło’s method [3] for constructing CM polynomials of Definition 1.
We introduce more sparse families for k∈{5,8,10,12} and the first examples in the literature for a variety of other k as well, with ρ≤2.
We produced numerical examples of cryptographic value, considering the recent progress on the TNFS method for reducing the complexity of the DLP in finite field extensions of composite degree [13, 16].
The rest of the paper is organized as follows. In Section 2 we present the necessary background related to pairing-friendly elliptic curves and overview the most important work on the three types of polynomial families. We analyze our method in Section 3 and demonstrate our experimental results in Section 4. We conclude the paper in Section 5.
2 Background and previous work
Recall that our goal is to determine suitable integer triples (q,t,r), for some fixed and relatively small embedding degree k. So far, the best ρ-values are achieved when representing q,t,r as polynomial families (q(x),t(x),r(x)) in ℚ[x], respectively.
Definition 2 ([10]).
Let q(x),t(x),r(x)∈ℚ[x] be non-zero polynomials. We say that a polynomial triple (q(x),t(x),r(x))parameterizes a family of pairing-friendly ordinary elliptic curves with embedding degree k and CM discriminant D, if the following are satisfied:
q(x) represents primes, i.e. it is non-constant, irreducible, with positive leading coefficient. Additionally, q(x)∈ℤ, for some (or infinitely many) x∈ℤ and gcd({q(x):x,q(x)∈ℤ})=1,
r(x) is non-constant, irreducible, integer-valued, with positive leading coefficient,
r(x) divides both q(x)+1-t(x) and Φk(t(x)-1), where Φk(x) is the kth cyclotomic polynomial,
there are infinitely many integer solutions (x,Y) for the parameterized CM equation
(2.1)DY2=4q(x)-t(x)2.
The ρ-value of a polynomial family (q(x),t(x),r(x)) is defined as
ρ(q,t,r)=degqdegr.
The condition r(x)∣(q(x)+1-t(x)) implies that #E(𝔽q(x))=q(x)+1-t(x)=h(x)r(x) for a cofactor h(x)∈ℚ[x]. Substituting into equation (2.1), we obtain
DY2=4h(x)r(x)-(t(x)-2)2.
The condition r(x)∣Φk(t(x)-1) means that t(x)-1 is a primitive kth-root of unity in ℚ[x]/〈r(x)〉. Finding polynomials t(x),r(x) satisfying this condition is not straightforward. Usually r(x) is taken as the kth cyclotomic polynomial for some k>0. More results can be obtained if we allow r(x) to be an irreducible polynomial dividing Φk(t(x)-1), for some t(x)∈ℚ[x] (see for example [14, 23]). Once r(x) is fixed, we must obtain a solution (x0,Y0) for equation (2.1) such that q(x0) and r(x0) are large primes. Then we apply the CM method to construct an elliptic curve E/𝔽q(x0), with Frobenius trace t(x0) and order #E(𝔽q(x0))=h(x0)r(x0), requesting h(x0) to be small.
Let f(x)=4q(x)-t(x)2∈ℚ[x] be the CM polynomial of the form f(x)=g(x)y(x)2, with y(x),g(x)∈ℚ[x] and degg≤2. By Definition 1, if degg=0, the family (q(x),t(x),r(x)) is complete and thus f(x)=Dy(x)2, for some square-free D>0. If degg=1, the family is complete with variable discriminant and, finally, if degg=2, with g(x) not a perfect square and lc(g)>0, the family is sparse.
Complete families.
The most common method for constructing complete families is due to Brezing and Weng [2]. This method starts by fixing an embedding degree k and a square-free CM discriminant D. Then, it chooses an irreducible polynomial r(x)∈ℚ[x] such that ζk,-D∈ℚ[x]/〈r(x)〉, where ζk is a primitive kth-root of unity. Finally, it sets t(x) and y(x) as the polynomials mapping to ζk+1 and (ζk-1)/-D, respectively, and q(x)=14(t(x)2+Dy(x)2). For more examples of this type of families, see [10, 12, 23, 24].
The small discriminants make complete families very attractive for implementations. However, according to [6] we need larger CM discriminants to avoid various attacks on the DLP. This is done by the other two types of polynomial families, for which the CM discriminant has a polynomial representation. Note however that although larger CM discriminants might be preferable, these values should not be too large, since a large D would affect the efficiency of the CM method. More precisely, the CM discriminant D should be at most 1013, which is the current record for constructing Hilbert class polynomials using the Chinese Remainder Theorem (see [22]).
Complete families with variable discriminant.
By Definition 1 the CM polynomial is f(x)=g(x)y(x)2 and degg=1. These families can be constructed via the Brezing–Weng method by replacing the square-free integer D with a linear term g(x) such that -g(x)∈ℚ[x]/〈r(x)〉. Such examples appear in [3, 10, 14, 15]. Although this type offers more flexible CM-discriminant, the choices are still limited, especially as the value k increases. In particular, in order to find suitable parameters with this type of families, we are searching for x0=Dy2∈ℤ such that r(x0) and q(x0) are both primes of reasonable size and so as degr grows, the choices for D are limited.
Sparse families.
The CM polynomial is f(x)=g(x)y(x)2, where g(x) is quadratic, non-square, with lc(g)>0. With sparse families, curve parameters derive from the solutions of a generalized Pell equation. The first examples were the MNT families (see [17] and [4, 7, 11, 21]) for k∈{3,4,6} and ρ(q,t,r)=1. These are ideal families in terms of the ρ-value, but correspond to a low security level of 80-bits. In [9], Freeman introduced a sparse family for k=10 with ρ(q,t,r)=1 and Dryło [3] proposed a method for producing sparse families offering two new examples for k=8,12 with ρ(q,t,r)=1.5. We note that Freeman’s family is the only known ideal sparse family in terms of ρ, for k≠3,4,6. Finally, in [8] we described two alternatives for producing sparse families. In the first we are searching for polynomials r(x),t(x) such that f(x)≡-(t(x)-2)2modr(x)=g(x)y(x)2, while in the second we are searching for a cofactor h(x) such that f(x)=4h(x)r(x)-(t(x)-2)2=g(x)y(x)2. We generated new examples for k=5,10 and ρ(q,t,r)=1.5.
Contribution.
We argue that sparse families offer more flexibility on the CM discriminant, but for k∉{3,4,6} are very rare. Additionally, numerical examples of suitable parameters (q,t,r) obtained from sparse families can be found in the literature only for Freeman’s family [9] and in our earlier work [8], for k=5,10. Motivated by these facts, we further study the construction of this type of families. In particular, our contribution is summarized as follows:
The proposed method.
We propose a method that combines Lee–Park’s [14] and Dryło’s [3] ideas. More precisely, we first apply Lee and Park’s method for constructing polynomials t(x),r(x) such that r(x)∣Φk(t(x)-1). Then we follow Dryło’s process in order to fix a CM polynomial f(x)=g(x)y(x)2, for some non-square g(x)∈ℚ[x], with degg=2 and lc(g)>0. In particular, we are searching for an element z(x)∈ℚ[x]/〈r(x)〉 such that -z(x)2≡g(x)modr(x). This condition allowed us to produce more sparse families than any other work focusing on this type of families.
New families.
Using this method, we produced new sparse families for various embedding degrees k≠3,4,6 that have not previously appeared in the literature, with ρ(q,t,r)<2. Additionally, Table 1 indicates that families with ρ(q,t,r)≈2 are also likely to offer a balanced security level in the three groups 𝔾1,𝔾2 and 𝔾T of a pairing. This motivates us to introduce the first sparse families in the literature with ρ(q,t,r)=2.
Experimental results.
We implemented the proposed method together with a Pell equation solver and produced several pairing-friendly parameters. Our results are aiming for security levels of at least 128-bit AES key, which is today’s state of the art. The values q and r are chosen with respect to Table 1 for prime k. On the other hand, for composite k the extension field size klogq is taken larger than the recommended values of Table 1 (see [6]), in order to surpass the threat of the new variants of the TNFS method [13, 16]. Finally, in our examples we have considered CM discriminants up to 2⋅106. More examples can be obtained by allowing even larger D.
3 Sparse families of pairing-friendly elliptic curves
To construct sparse families of pairing-friendly elliptic curves, the first step is to find an irreducible polynomial r(x)∈ℚ[x] and a trace polynomial t(x)∈ℚ[x] such that r(x)∣Φk(t(x)-1), for some fixed k. In order to implement this we adopt Lee and Park’s method [14]. Once these polynomials are constructed, the next step is to determine a non-square polynomial g(x), with degg=2 and lc(g)>0, such that the CM polynomial is f(x)=g(x)y(x)2, with y(x)∈ℚ[x]. For this step we use Dryło’s method [3]. The construction of the remaining polynomials y(x),q(x) is straightforward.
Finding the polynomial r(x).
Following Lee and Park [14], we start by choosing an arbitrary embedding degree k∉{1,2,3,4,6} and fixing an element θ∈ℚ(ζk) of the form
(3.1)θ=a0+a1ζk+a2ζk2+⋯+aφ(k)-1ζkφ(k)-1
such that u(θ)=ζk in ℚ(ζk), for some u(x)∈ℚ[x] and ai∈ℚ, for every i=0,…,φ(k)-1. Let ℬ(θ) and ℬ(ζk) be the following sets:
ℬ(θ)={1,θ,…,θφ(k)-1} and ℬ(ζk)={1,ζk,…,ζkφ(k)-1}.
The polynomial u(x) can be found by constructing the transition matrixP from the set ℬ(θ) to ℬ(ζk), which is a φ(k)×φ(k) matrix with elements Pij obtained by the relation
θj=∑i=0φ(k)-1Pijζki for each j=0,1,…,φ(k)-1.
If det(P)≠0, the transition matrix P has an inverse P-1=(Pij′) and we set u(x) as
(3.2)u(x)=∑i=0φ(k)-1Pi1′xi.
By [14, Lemma 2], Φk(u(x)) has an irreducible factor of degree φ(k), which is set as r(x). Additionally, with this setup we get that u(x) is a primitive kth-root of unity in K=ℚ[x]/〈r(x)〉. Note also that the coefficients of u(x) are multivariate polynomials in ℚ[a0,a1,…,aφ(k)-1] and so we need to ensure that a0,a1,…,aφ(k)-1∈ℚ are chosen such that det(P)≠0.
The complexity of this procedure depends on the value φ(k)=degr and as this value grows, the efficiency of the process is affected. In our examples we used this method for cases where φ(k)=4, corresponding to embedding degrees 5, 8, 10 and 12, but the method can be applied also for higher embedding degrees. We can avoid this procedure by setting r(x) as the kth-cyclotomic polynomial, where in this case u(x)=x represents a primitive kth-root of unity in K=ℚ[x]/〈r(x)〉.
Searching for g(x).
After constructing u(x) and r(x), the next step is to find a quadratic, non-square polynomial g(x) with lc(g)>0 such that -g(x)∈K=ℚ[x]/〈r(x)〉. In other words, we need to find an element z(x)∈K such that -z(x)2=g(x) in K. We write
(3.3)z(x)=zφ(k)-1xφ(k)-1+⋯+z2x2+z1x+z0
and we are searching for z0,z1,…,zφ(k)-1∈ℚ such that -z(x)2modr(x) is quadratic, non-square, with positive leading coefficient. However, we do not need to search all the φ(k) variables zi. In particular, we set
(3.4)-z(x)2≡[∑i=0φ(k)-1gi(z0,z1,…,zφ(k)-1)xi]modr(x),
where all gi(z0,z1,…,zφ(k)-1) are multivariate polynomials with rational coefficients that represent the coefficients of g(x). Since we wish -z(x)2 to be a quadratic, we set
gi(z0,z1,…,zφ(k)-1)=0
for all i=3,4,…,φ(k)-1. Solving this system will eliminate some of the zi and hence improve the efficiency of the search. Finally, we need g2(z0,z1,…,zφ(k)-1)>0 and the discriminant of g(x) to be non-zero, so that g(x) is not a perfect square. This process is also described in [3].
Computing the remaining polynomials.
So far we have determined the polynomial r(x), a polynomial u(x) representing a primitive kth-root of unity in K=ℚ[x]/〈r(x)〉, the non-square, quadratic polynomial g(x), with lc(g)>0 and a polynomial z(x)=-g(x) in K. Following the original Brezing–Weng method [2], we can compute the remaining polynomials in the following way. For each primitive kth-root of unity ζk↦[u(x)jmodr(x)], with j=1,2,…,φ(k)-1, such that gcd(j,k)=1 we set t(x)≡[u(x)j+1]modr(x) and
y(x)≡[(u(x)j-1)z(x)-1]modr(x)=[∑i=0φ(k)-1yi(z0,z1,…,zφ(k)-1)xi],
where z(x)-1 is the multiplicative inverse of z(x) in ℚ[x]/〈r(x)〉. We then set the CM and field polynomials as f(x)=g(x)y(x)2 and q(x)=14[t(x)2+f(x)], respectively. Note that the field polynomial must represent primes in the sense of Definition 2. If this is true, we have a sparse family (q(x),t(x),r(x)) of pairing-friendly elliptic curves with embedding degree k.
Additional conditions.
With our construction, we have
degt,degy≤φ(k)-1
and
degf=degg+2degy=2+2degy≤2φ(k).
Thus the ρ-value of these polynomial families is
ρ(q,t,r)=degqdegr=deg[t(x)2+f(x)]degr=max{2degt,2+2degy}degr≤2.
For ρ-values less than 2, we need the degree of y(x) to be less than φ(k)-1 and so we set
yφ(k)-1(z0,z1,…,zφ(k)-1)=0.
This is an extra equation in (z0,z1,…,zφ(k)-1) and using it we can eliminate more of the zi. However, we also give examples with ρ(q,t,r)=2, in which case the above equation must be non-zero. Even more zi can be eliminated if we allow the polynomial g(x) to have the same leading coefficient and constant term. In other words this is written as
g2(z0,z1,…,zφ(k)-1)=g0(z0,z1,…,zφ(k)-1).
Most of the examples presented in this work respect this additional properties.
Algorithm 1 (Sparse families of pairing-friendly elliptic curves.).
Summary and the algorithm.
The conditions that need to be met for the coefficients (z0,z1,…,zφ(k)-1) of the polynomial z(x)∈K lead to the following system of multivariate equations:
(3.5)gφ(k)-1(z0,z1,…,zφ(k)-1)=…=g3(z0,z1,…,zφ(k)-1)=0,g2(z0,z1,…,zφ(k)-1)>0,Δg≠0,yφ(k)-1(z0,z1,…,zφ(k)-1)=0 (optional),g2(z0,z1,…,zφ(k)-1)-g0(z0,z1,…,zφ(k)-1)=0 (optional),}
where Δg denotes the discriminant of the polynomial g(x). If we wish to construct sparse families with ρ(q,t,r)=2, we need to exclude the fourth condition from system (3.5). Additionally, we can find more suitable polynomials g(x) by excluding the last condition of system (3.5). The above process is described in Algorithm 1.
Remark 1.
Note that if the φ(k)-tuple (z0,z1,…,zφ(k)-1) is a suitable solution of system (3.5), then the φ(k)-tuple (nz0,nz1,…,nzφ(k)-1), for any n∈ℚ/{0}, is also a solution for this system, but it will generate the same sparse family. Furthermore, two quadratic polynomials g(x) and g′(x) are said to be equivalent if there is a linear transformation x↦(ay+b) such that g′(x)=g(ay+b). In this case, the polynomials g(x) and g′(x) also generate the same sparse family.
Since we are searching for integer triples (q,t,r), we need to ensure that for each output of Algorithm 1 the polynomials q(x),t(x) and r(x) have integer coefficients. In order to do this, we need to find the smallest positive integer n such that nq(x)∈ℤ[x] and then search for the smallest positive factor m of n such that q(mx+l)∈ℤ[x], for some integer l∈[-m,m] (see [12, 14] for details). However, such a linear transformation does not always exist. If it does, we apply it on q(x),t(x) and r(x) and test if q(mx+l), t(mx+l) and r(mx+l) have integer coefficients.
3.1 Cyclotomic sparse families
When r(x) is the kth cyclotomic polynomial Φk(x), for some fixed k, then u(x)=x and we omit the first three steps of Algorithm 1. With this setup, every power xj for j=1,…,φ(k)-1 such that gcd(j,k)=1 is a primitive kth-root of unity in ℚ[x]/〈r(x)〉. We here give the first cyclotomic sparse families in the literature for embedding degrees k∈{5,7,8,9,10,12,14,15,18,20,30} and ρ(q,t,r)≤2. Note that as φ(k) grows, it is harder to determine a suitable element z(x)∈K. The following results are restricted for cases where φ(k)≤8.
3.1.1 The case k=5
We have r(x)=Φ5(x) and thus z(x)=z3x3+z2x2+z1x+z0. Setting g3(z0,z1,z2,z4)=0, we get that
z(x)=z3x3+z2x2+z1x+z22+2z3z1-2z2z12z3,
and in this case degg=2.
Table 2
Cyclotomic sparse families for k with φ(k)=4 and ρ(q,t,r)=1.5.
| Family | k | t(x) | g(x) | y(x) | x0 |
| 1 | 5 | x+1 | 3x2-2x+3 | -(2x2+2x+1) | x0∈ℤ |
| 2 | 5 | x3+1 | 4x2+7x+4 | x2+1 | 1mod2 |
| 3 | 8 | -x3+1 | 7x2-26x+7 | -117(3x2-x+3) | {8,15}mod17 |
| 4 | 8 | -x3+1 | 14x2-20x+14 | 12(x2+2x+1) | 1mod2 |
| 5 | 10 | x3+1 | 12x2-3x+4 | 111(x2+2x+3) | {7,13}mod22 |
| 6 | 10 | x3+1 | 3x2+10x+3 | 111(x2+3x+1) | {2,6}mod11 |
| 7 | 10 | x3+1 | 15x2+50x+15 | 155(7x2-x+7) | {2,13,17,28}mod55 |
| 8 | 10 | -x3+x2-x+2 | 20x2-35x+20 | 15(x2+x) | 0mod10 |
Furthermore, adding the condition g2(z0,z1,z2,z4)=g0(z0,z1,z2,z4), we get z2=0 or z2=2z3. In the first case if we set t(x)=x+1 and y3(z0,z1,z2,z4)=0, we obtain z3=2z1. In the second case we set t(x)=x3+1 and then the polynomial y(x) is quadratic. We conclude to the following polynomials z(x):
z(x)=2z1x3+z1x+z1for t(x)=x+1,
z(x)=z3x3+2z3z2+z1x+2z3-z1for t(x)=x3+1.
In the first polynomial z(x) we set z1=1 and obtain the first family of Table 2. By Remark 1, taking any other z1∈ℚ will lead us to an equivalent family. For the second case we give an example for (z1,z3)=(2,1) in Table 2. Polynomial families with k=5 and ρ(q,t,r)=1.5 correspond to a security level below 128-bits in the extension field 𝔽q5, for a 256-bit prime r. In order achieve a security level around 128-bits we consider sparse families with ρ(q,t,r)=2. Note that in this case we require degy=3 and hence y3(z0,z1,z2,z3)≠0. Such examples are presented in Table 5.
3.1.2 The case k=8
Quadratic polynomials g(x) can be obtained by setting the polynomial z(x) as
z(x)=z3x3+z2x2+z1x-z1z2z3.
Adding the condition g2(z0,z1,z2,z3)=g0(z0,z1,z2,z3), we get that z2=±z3 and for t(x)=±x3+1, respectively, we have y3(z0,z1,z2,z3)=0. In other words we conclude to the polynomials z(x) of the form
z(x)=z3x3±z3x2+z1x∓z1 for t(x)=±x3+1.
Examples for (z1,z3)∈ℚ2∖(0,0) with ρ(q,t,r)=1.5 and ρ(q,t,r)=2 appear in Tables 2 and 5.
3.1.3 The case k=10
In [9], Freeman presented a sparse family for k=10 and ρ(q,t,r)=1. This is the only known ideal sparse family in terms of the ρ-value for k≠3,4,6. We give more examples with ρ(q,t,r)=1.5 and ρ(q,t,r)=2 in Tables 2 and 5, respectively. In particular, in order to obtain a quadratic polynomial g(x) we set
z(x)=z3x3+z2x2+z1x-z22+2z3z1+2z2z12z3.
Adding the constraint g2(z0,z1,z2,z3)=g0(z0,z1,z2,z3), we get that z2=0 or z2=-2z3. In the first case, for t(x)=x3+1, the polynomial y(x) is quadratic and so we have
z(x)=z3x3+z1x-z1 for t(x)=x3+1.
In the second case we add the condition y3(z0,z1,z2,z3)=0, in which case for t(x)=-x3+x2-x+2 we get z1=43z3. Then we have
z(x)=z3x3-2z3x2+4z33x-2z33 for t(x)=-x3+x2-x+2.
Sparse families with ρ(q,t,r)=1.5 are presented for both cases in Table 2 and with ρ(q,t,r)=2 in Table 5. In these tables we also give examples of sparse families with polynomials g(x) such that
g2(z0,z1,z2,z3)≠g0(z0,z1,z2,z3).
For k=12 we could not find any examples of cyclotomic sparse families. However, we cover this case by taking r(x) as a non-cyclotomic polynomial. For k=5,8,10 and 12 the construction of suitable polynomials z(x) is easy, since the degree of the polynomial r(x) is small, i.e. degr=φ(k)=4. When φ(k) increases, this search is much harder. However, we give a few examples for degr=6,8 in the following paragraphs.
3.1.4 The case where φ(k)=6
When φ(k)=6, the embedding degree is 7, 9, 14 or 18 and since r(x)=Φk(x), we have degr=6. In such cases z(x)∈ℚ[x] is a degree 5 polynomial, written as
z(x)=z5x5+z4x4+z3x3+z2x2+z1x+z0.
Then we can easily eliminate at least two of its coefficients, namely z0 and z1, by solving the equations
g5(z0,z1,z2,z3,z4,z5)=g4(z0,z1,z2,z3,z4,z5)=0
in terms of z0 and z1, respectively.
Table 3
Cyclotomic sparse families for k with φ(k)=6 and ρ(q,t,r)=1.6667.
| Family | k | t(x) | g(x) | y(x) | x0 |
| 1 | 7 | x5+1 | 208x2+375x+208 | 171(38x4-23x3+50x2-23x+38) | {37,91,103,119}mod142 |
| 2 | 9 | x5+1 | 8x2+35x+8 | -1109(x4-18x3-4x2-18x+1) | {27,105,147,175}mod218 |
| 3 | 9 | x5+1 | 51x2+126x+51 | 1543(47x4+x3+57x2+x+47) | {43,73,424,442}mod543 |
| 4 | 14 | x5+1 | 4x2+5x+4 | -(2x4-5x3+6x2-5x+2) | 1mod2 |
| 5 | 18 | x5+1 | 4x2+9x+4 | -119(3x4-2x3-8x2-2x+3) | {3,13,15,33}mod38 |
| 6 | 18 | x5+1 | 19x2+30x+19 | -137(3x4+5x3-7x2+5x+3) | {3,4,25,28}mod37 |
Examples of sparse families for these cases appear in Table 3 for ρ(q,t,r)=1.6667 and in Table 6 for ρ(q,t,r)=2. These are the first sparse families in the literature for k∈{7,9,14,18}. Note that when k=7, we can choose suitable parameters following Table 1, since this case is not affected by the exTNFS or SexTNFS methods [13, 16]. In the other three cases, the embedding degree is composite and hence we need to update the recommendations of Table 1, in order to avoid the new TNFS attacks.
Table 4
Cyclotomic sparse families for k with φ(k)=8, t(x)=x7+1 and ρ(q,t,r)=1.75.
| k | g(x) | y(x) | x0 |
| 30 | 155x2+350x+155 | 19755(433x6-293x5-149x4+637x3-149x2-293x+433) | {707,1003,1228,1348,2658 |
| | | 3582,5533,6042,7993,8807 |
| | | 9032,9152}mod9755 |
3.1.5 The case where φ(k)=8
This case corresponds to embedding degrees 15, 16, 20, 24, 30. We have degr=8 and z(x)∈ℚ[x] is written as
z(x)=z7x7+z6x6+z5x5+z4x4+z3x3+z2x2+z1x+z0.
In such cases we can eliminate the three coefficients z0,z1,z2 by solving the following system of equations:
g7(z0,z1,z2,z3,z4,z5,z6,z7)=g6(z0,z1,z2,z3,z4,z5,z6,z7)=g5(z0,z1,z2,z3,z4,z5,z6,z7)=0.
We have found only one such example for k=30, with t(x)=x7+1 and ρ(q,t,r)=1.75 in Table 4. Two families for k=15,20 with ρ(q,t,r)=2 appear in Table 7.
3.1.6 Sparse families with ρ(q,t,r)=2
As stated in [19], elliptic curve parameters with ρ≈2 might as well offer fast pairing computations. Additionally, examples with ρ≈2 can also achieve a nice balance corresponding to security levels of 128-, 256- and 512-bits.
In Tables 5–7 we gather a few examples of cyclotomic sparse families, with ρ(q,t,r)=2, where degr=4,6 and 8, respectively. Since ρ(q,t,r)=2, we have excluded the condition
yφ(k)-1(z0,…,zφ(k)-1)=0
from system (3.5).
Hence the polynomials y(x) have degy=φ(k)-1 and thus
degq=2φ(k)=2degr.
Furthermore, we are restricted to cases where the coefficients of the polynomials z(x) are integers in the range [-10,10]. More examples can be found by expanding this range, however we are aiming for polynomials that have relatively small coefficients. Additional examples can be also obtained by considering rational coefficients for z(x). In our examples we generally focus on embedding degrees for which the polynomial families are likely to offer pairing-friendly parameters with a nice balance between the security levels in the three defining groups of a pairing. We note that the number of suitable sparse families decreases as the value φ(k) grows. More precisely, we found many families for cases where φ(k)=4 and just a few for φ(k)=8.
Table 5
Cyclotomic sparse families with degr=4 and ρ(q,t,r)=2.
| Family | k | t(x) | g(x) | y(x) | x0 |
| 1 | 5 | x+1 | 3x2-10x+3 | 111(4x3+2x2+6x+3) | {2,5,9}mod11 |
| 2 | 5 | x2+1 | 3x2+2x-1 | -111(10x3+6x2+x+3) | {3,5,9}mod11 |
| 3 | 8 | -x3+1 | x2+10x+1 | 17(3x3-x2+1) | 9mod14 |
| 4 | 8 | -x+1 | 7x2-10x+7 | 2x3-2x-3 | x0∈ℤ |
| 5 | 8 | -x+1 | 7x2-26x+7 | 117(2x3-2x-5) | {8,11,15}mod17 |
| 6 | 8 | -x+1 | 14x2-20x+14 | -12(3x3-3x-4) | 1mod2 |
| 7 | 10 | x3+1 | 3x2-2x-1 | -111(8x3-7x2+3x-9) | {2,6,8}mod11 |
| 8 | 10 | x+1 | 3x2+10x+3 | 111(2x3-2x2+3) | {2,4,6}mod11 |
| 9 | 10 | x+1 | 15x2+50x+15 | -155(8x3-8x2+1) | {2,13,17,28,37,48}mod55 |
Table 6
Cyclotomic sparse families with degr=6 and ρ(q,t,r)=2.
| Family | k | t(x) | g(x) | y(x) | x0 |
| 1 | 7 | x2+1 | 4x2-5x+4 | x5+4x4+7x3+8x2+6x+2 | 1mod2 |
| 2 | 7 | x4+1 | 4x2-5x+4 | 4x5+8x4+9x3+6x2+2x-1 | 1mod2 |
| 3 | 7 | x5+1 | 4x2-5x+4 | 4x5+6x4+5x3+2x2-x-2 | 1mod2 |
| 4 | 7 | -x5-x4-x3-x2-x | 4x2-5x+4 | 2x5+2x4+x3-x2-2x-2 | 0mod2 |
| 5 | 7 | x+1 | 7x2+42x+7 | -191(16x5-4x4-4x3+16x2+11) | {5,31,57}mod91 |
| 6 | 7 | x2+1 | 7x2+42x+7 | 191(4x5+24x4+4x3+5x+5) | {15,54,67,80}mod91 |
| 7 | 7 | x3+1 | 7x2+42x+7 | 191(4x5+4x4-15x2+x-15) | {33,59,72,85}mod91 |
| 8 | 7 | x4+1 | 7x2+42x+7 | -191(16x5+15x3+19x2+19x+15) | {8,47,73}mod91 |
| 9 | 9 | x+1 | 4x2-9x+4 | -119(x5+5x4-4x3+6x2+6x-2) | {5,21,23,25,35}mod38 |
| 10 | 9 | x+1 | 12x2-33x+12 | 151(9x5-3x4+4x3+6x2+6x+2) | 13mod102 |
| 11 | 9 | x+1 | 19x2-30x+19 | 137(8x5+4x4+10x3+12x2+12x+5) | {4,9,12,33,34}mod37 |
| 12 | 14 | -x2+1 | 4x2+5x+4 | 3x5-4x4+3x3-2x+2 | 1mod2 |
| 13 | 14 | -x5+x4-x3+x2-x+2 | 4x2+5x+4 | 2x5-6x4+9x3-9x2+6x-2 | 0mod2 |
| 14 | 18 | x+1 | 4x2+9x+4 | -119(7x5-x4-6x2-6x+10) | {3,13,15,23,33}mod38 |
| 15 | 18 | x+1 | 19x2+30x+19 | 137(26x5-14x4-12x2-12x+29) | {3,4,6,25,28}mod37 |
Table 7
Cyclotomic sparse families with degr=8 and ρ(q,t,r)=2.
| Family | k | t(x) | g(x) | y(x) | x0 |
| 1 | 15 | x2+1 | 3x2-18x+3 | 193(20x7-8x6-22x5+20x4+14x3+6x2+7x-15) | {9,24,45,51,69,72,90}mod93 |
| 2 | 20 | x+1 | 40x2-55 | -1505(20x7+23x6-43x5-4x4+24x3+68x2-88x+20) | {41,57,115,145,161,163,241, |
| | | | | 243,317,347,363,365,443, |
| | | | | 445,461,565,645,647,663, |
| | | | | 751,767,847,865,923, |
| | | | | 721,953,971}mod1010 |
3.2 Non-cyclotomic sparse families
Now we present examples of sparse families where r(x) is not a cyclotomic polynomial, but an irreducible polynomial in ℚ[x], satisfying condition (2) of Definition 2.
So far the only known non-cyclotomic sparse families with k≠3,4,6, are Freeman’s family for k=10, with ρ(q,t,r)=1, Dryło’s two examples [3] for k=8,12, with ρ(q,t,r)=1.5 and a few examples we presented in [8] for k=5,10, with ρ(q,t,r)=1.5.
Table 8
Non-cyclotomic sparse families for k with φ(k)=4 and ρ(q,t,r)=1.5.
| Family | k | t(x) | r(x) | g(x) | y(x) | x0 |
| 1 | 8 | -112(x3-3x2-5x-9) | x4-2x2+9 | 8x2-16 | -112(x-3) | 3mod12 |
| 2 | 8 | 196(x3+6x2-20x+72) | x4-8x2+144 | x2+10 | 172(x2+6x) | 18mod24 |
| 3 | 8 | -13(2x3+5x2+7x+6) | x4+4x3+8x2+12x+9 | 2x2-4x-14 | 16(-x2-3) | 3mod6 |
| 4 | 10 | -(25x3+20x2+10x+1) | 25x4+25x3+15x2+5x+1 | 15x2+10x+3 | 15x2+5x+3 | x0∈ℤ |
| 5 | 12 | -115(x3-4x2-5x-6) | x4-2x3-3x2+4x+13 | 12x2-12x-51 | -115(x-3) | {3,23}mod30 |
| 6 | 12 | -195(2x3-17x-95) | x4-37x2+361 | x2-37 | 195(3x2+5x-38) | {19,171}mod190 |
Table 9
Non-cyclotomic sparse families for k with φ(k)=4 and ρ(q,t,r)=2.
| Family | k | t(x) | r(x) | g(x) | y(x) | x0 |
| 1 | 5 | x2+2x+2 | x4+3x3+4x2+2x+1 | 3x2+4x | -111(10x3+24x2+19x+2) | {1,5,7}mod11 |
| 2 | 8 | -112(x3-8x-16) | x4+4x3+4x2+8 | x2-4x-12 | -1204(5x3+33x2+14x+16) | {14,26,86}mod102 |
| 3 | 8 | 112(x3+3x2-5x+9) | x4-2x2+9 | 7x2+18x-9 | -1612(8x3-33x2-52x-15) | {27,75,87}mod102 |
| 4 | 8 | 13(2x3+5x2+7x+12) | x4+4x3+8x2+12x+9 | 3x2+8x+4 | 151(20x3+44x2+91x+117) | {3,18,21}mod51 |
| 5 | 10 | 13(x+4) | x4+x3+6x2-14x+61 | 3x2-12 | -1891(4x3+18x2-12x+1) | {5,17,23}mod33 |
| 6 | 10 | -14(x2+2x-3) | x4+6x3+16x2+26x+31 | 3x2-14x-5 | 144(x3+3x2+4x+4) | {9,15,17}mod22 |
| 7 | 12 | -115(x3-4x2-5x-6) | x4-2x3-3x2+4x+13 | 2x2-2x-4 | -190(x3+6x2-30x+19) | 23mod30 |
| 8 | 12 | -115(x3-4x2-5x-6) | x4-2x3-3x2+4x+13 | 6x2-6x-36 | -1150(3x3-2x2-20x+27) | {3,23}mod30 |
We applied Algorithm 1 for embedding degrees 5, 8, 10, 12 and came up with several new sparse families with ρ(q,t,r)≤2 presented in Tables 8 and 9. The first examples for k=8 and 12 in Table 8 were first produced by Dryło [3]. Recall that as k grows, then degr grows as well and it becomes hard to determine suitable polynomials t(x),r(x) and z(x). This is because in Algorithm 1 the search for non-cyclotomic sparse families is affected by both the coefficients of the element θ, as well as the coefficients of the polynomial z(x). In order to produce the examples of Tables 8 and 9, we used an exhaustive search for coefficients ai∈[-10,10] of the element θ, and for the coefficients zi∈[-20,20] of the polynomial z(x) (excluding duplicates as posed in Remark 1), for every i=0,1,…,φ(k)-1. In addition, in most examples of non-cyclotomic sparse families, we have considered integer values for both the coefficients of θ and z(x). We argue though that even more examples of families can be constructed by allowing θ and z(x) to have rational coefficients as well. Furthermore, we need to establish some limit for both the coefficients of the element θ of equation (3.1) and the polynomial z(x)∈ℚ[x] to ensure that the resulting polynomial family will have relatively small coefficients.
Remark 2.
In Tables 2–9 we provide the polynomials t(x),r(x),g(x) and y(x). In particular, the computation of the remaining field polynomial q(x) is straightforward, by using Step (7) of Algorithm 1. More precisely, we use the relation
q(x)=14[t(x)2+g(x)y(x)2].
The last column, named x0, in these tables refers to the congruential conditions that the input x0 must satisfy, in order for the values q(x0),t(x0) and r(x0) to be integers. The entries x0∈ℤ in some families indicate that the polynomials q(x),t(x) and r(x) are already integer-valued and so there no need to apply any linear transformation.
Example 1.
Let us consider the sparse family 4 in Table 2, for k=8. This is a cyclotomic family and so r(x)=Φ8(x)=x4+1. We set the trace polynomial as t(x)=-x3+1. Taking g(x)=14x2-20x+14 and y(x)=12(x2+2x+1), we obtain the field polynomial
q(x)=14[t(x)2+g(x)y(x)2]=18(9x6+18x5+9x4-8x3+9x2+18x+9).
The field polynomial q(x) is integer-valued for all x≡1mod2. This can easily be seen by applying on q(x) the linear transformation x↦(2z+1), where we obtain
q(z)=72z6+288z5+468z4+388z3+177z2+48z+8,
which has integer coefficients. Hence we have a sparse family (q(x),t(x),r(x)) of pairing-friendly elliptic curves with embedding degree 8 and ρ(q,t,r)=1.5. All families in Tables 2–9 are created in the same way.
4 Implementation and experimental results
Suitable pairing-friendly triples (q,t,r) can be obtained by the solutions of a generalized Pell equation. We describe this procedure in detail and present numerical examples of pairing-friendly parameters as a result of the sparse families we constructed in the previous section.
4.1 Finding pairing-friendly parameters with sparse families
With the notation of Section 3, let DY2=f(x)=g(x)y(x)2 and g(x)=ax2+bx+c, for some a,b,c∈ℤ. As stated in [4], we can omit the term y(x)2 from calculations and so the above equation is DY2=ax2+bx+c. Multiplying both sides by a factor S>0 such that aS is a perfect square, we obtain SDY2=aSx2+bSx+cS. Let aS=A2 and b=2ABS, for some A,B∈ℤ. Substituting, we obtain SDY2=(Ax)2+2ABx+cS. Completing the squares and setting B2-cS=T and Ax+B=X, we conclude to a generalized Pell equation of the form
(4.1)X2-SDY2=T.
We need to find a solution (X,Y) for square free values of D such that X=Ax0+B, for some x0∈ℤ. For each solution we check if q(x0) and r(x0) are both primes of a desired size and if such a x0 exists, we set q=q(x0), t=t(x0), r=r(x0) and #E(𝔽q)=q+1-t. By [21], we can increase the possibility of finding such parameters by allowing r to contain a small factor. In this case we set r=1nr(x0), for some relatively small n>0. This procedure is summarized in Algorithm 2.
Algorithm 2 (Finding pairing-friendly parameters using sparse families.).
Remark 3.
If a generalized Pell equation is solvable, then it has an infinite number of solutions and by equation (4.3) it is clear that these solutions grow very fast. However, we only need a finite number of them. In particular, if (X,Y) is a solution for equation (4.1), with X=Ax0+B, then as X grows, so does x0. Therefore, we set a limit Xmax for the size of X to guarantee that q(x0) and r(x0) will have approximately the size that we require.
Details on solving generalized Pell equations of the form (4.1) can be found in [18, 20]. The main strategy requires first to find the fundamental solution of the standard Pell equation
(4.2)U2-SDV2=1,
by computing the simple continued fraction expansion of SD. This fundamental solution is the smallest integer pair (U0,V0) satisfying equation (4.2) and according to [18, 20], such a pair always exists. On the contrary, equation (4.1) is not necessarily solvable for every D. If it is, then there is an infinite number of solutions (Xi,Yi) obtained by the recurrence relation
(4.3)Xi+YiSD=(X0+Y0SD)(U0+V0SD)i,
for each i=0,1,…, where X0,Y0>0 and Y0 is the smallest compared to the other Yi. The pair (X0,Y0) is called the fundamental solution of equation (4.1) and all pairs (Xi,Yi) obtained by the above relation lie in the same class of solutions. However, a generalized Pell equation may have more than one classes of solutions and so more than one fundamental solutions (see [18, 20]).
Now consider the generalized Pell equation (4.1) and suppose that T is a perfect square. Such Pell equations have the advantage that they are always solvable for every positive and square-free integer D. Clearly if (U0,V0) is the fundamental solution of the standard Pell equation (4.2), the pair (X0,Y0)=(TU0,TV0) is a fundamental solution of equation (4.1). This attribute increases the possibility of finding suitable elliptic curve parameters, since there are more D to test. These special Pell equations correspond to sparse families (q(x),t(x),r(x)) with g(x) that factors as a product of two linear terms. Indeed, consider the generalized Pell equation (4.1) with T a perfect square and X=Ax+B. Then we have
DY2=g(x)=A2Sx2+2ABSx+B2-TS,
where the discriminant of this polynomial is 4TA2S2>0, a perfect square. Thus the polynomial g(x) factors over ℚ[x]. Such families are called effective and there are many examples for k∈{3,4,6} (see [4, 7]) as well as an example for k=5 in [8]. Here we introduce two effective sparse families for k=10 and ρ(q,t,r)=1.5 with g(x)=3x2+10x+3 and g(x)=15x2+50x+15 in Table 2. The families for k=5,10 in Table 5 and all non-cyclotomic sparse families of Table 9 are also effective.
4.2 Numerical examples
Recall that for a pairing on an elliptic curve E/𝔽q is defined as e^:𝔾1×𝔾2→𝔾T, for some r-order subgroups 𝔾1,𝔾2⊂E(𝔽q) and 𝔾T⊆𝔽qk*. Using Algorithm 2, we are looking for pairing-friendly triples (q,t,r), for some fixed embedding degree k, such that q,r are both primes.
The prime r is chosen such that the DLP in 𝔾1,𝔾2 is hard. Recall from Section 1 that the complexity of the DLP in such groups is O(r) and the provided security level is logr2. The complexity of the DLP in a finite field 𝔽N is measured asymptotically by the L-function
(4.4)LN[ℓ,c]=exp[(c+o(1))(lnN)ℓ(lnlnN)1-ℓ],
for some real constants ℓ∈[0,1] and c>0, where in our case we have N=qk. For prime embedding degrees, the complexity of the DLP in 𝔽N is LN[13,1.923]. For composite k, this complexity is reduced to LN[13,1.526], due to the exTNFS and SexTNFS methods [13, 16]. This causes us to consider larger extension fields than the ones proposed in Table 1 for this case.
Table 10
Pairing-friendly parameters from cyclotomic sparse families of Tables 2–4 with ρ<2.
| k | Family | D | x0 | n | logr | klogq | ρ |
| 8 | Table 2, Family 4 | 13,557 | 1113089949727013355037451≡1mod2 | 34 | 314 | 3,832 | 1.5255 |
| | 632,901 | 125260298657865824736296915≡1mod2 | 4,658 | 334 | 4,160 | 1.5569 |
| 10 | Table 2, Family 6 | 46,169 | 856467713687437865697≡2mod11 | 11 | 274 | 4,150 | 1.5146 |
| | 509,605 | -35844945071156592402508167≡2mod11 | 11 | 336 | 5,070 | 1.5089 |
| | 972,721 | 230932582967705134816029633≡2mod11 | 11 | 346 | 5,230 | 1.5116 |
| 10 | Table 2, Family 7 | 9,214 | -3582385338508080720370289643≡2mod55 | 11 | 362 | 5,470 | 1.5110 |
| | 197 | 1886442124591953672765645520833≡13mod55 | 11 | 398 | 6,010 | 1.5101 |
| | 192,678 | 969431595176900801133333≡13mod55 | 11 | 315 | 4,760 | 1.5111 |
| 14 | Table 3, Family 4 | 1,897,633 | 17468982577179889797≡1mod2 | 7 | 380 | 8,974 | 1.6868 |
| 18 | Table 3, Family 6 | 1,875,283 | 24920919307794≡4mod37 | 703 | 257 | 7,974 | 1.7237 |
Table 11
Pairing-friendly parameters from non-cyclotomic sparse families of Table 8 with ρ<2.
| k | Family | D | x0 | n | logr | klogq | ρ |
| 8 | 1 | 25,358 | 20114857076729300898488163579≡3mod12 | 72 | 369 | 4,432 | 1.5014 |
| 8 | 2 | 246,526 | 9136588037365516587775386≡18mod24 | 1,152 | 321 | 3,864 | 1.5047 |
| 8 | 3 | 1,480,462 | -1278344974507416233450120697≡3mod6 | 2,034 | 349 | 4,296 | 1.5387 |
| 10 | 4 | 145,082 | 23190230404037871500518167 | 1 | 341 | 5,150 | 1.5103 |
| | 358,403 | 1647100655727790021370656557 | 1 | 366 | 5,520 | 1.5082 |
| 12 | 5 | 1,093,821 | 1390154555846465798504115769703≡23mod30 | 225 | 392 | 7,080 | 1.5051 |
Table 12
Pairing-friendly parameters from cyclotomic sparse families of Tables 5–7 with ρ≈2.
| k | Family | D | x0 | n | logr | klogq | ρ |
| 5 | Table 5, Family 1 | 41,483 | -211159755286549424372≡5mod11 | 11 | 266 | 2,680 | 2.0150 |
| 7 | Table 6, Family 2 | 74,047 | 403870588123653≡1mod2 | 1 | 291 | 4,102 | 2.0137 |
| 7 | Table 6, Family 3 | 36,565 | 8291678367327≡1mod2 | 1 | 257 | 3,626 | 2.0156 |
| 7 | Table 6, Family 5 | 166,382 | 3037040031329≡31mod91 | 15,863 | 234 | 3,451 | 2.1068 |
| 8 | Table 5, Family 4 | 568,177 | 2458004926479071616297 | 9,266 | 271 | 4,568 | 2.1070 |
| 8 | Table 5, Family 6 | 727,203 | 1232650031112915013871591≡1mod2 | 2 | 319 | 5,144 | 2.0157 |
| 10 | Table 5, Family 7 | 65 | 59610264024288257541≡8mod11 | 11 | 259 | 5,240 | 2.0232 |
| | 136,307 | -6269823015159716596763≡8mod11 | 2,761 | 278 | 5,770 | 2.0755 |
| 10 | Table 5, Family 8 | 12,415 | 247639309713608417277≡2mod11 | 781 | 261 | 5,360 | 2.0536 |
| | 2,982 | -207056634794699236164075≡4mod11 | 1 | 309 | 6,140 | 1.9871 |
| | 26,131 | -120282339607334912746667≡6mod11 | 11 | 303 | 6,080 | 2.0066 |
| 10 | Table 5, Family 9 | 2,549 | 602939471477427348762273≡28mod55 | 300,641 | 297 | 6,280 | 2.1145 |
| 14 | Table 6, Family 12 | 3,949 | 24901810552914403084769697≡1mod2 | 749,687 | 486 | 14,210 | 2.0885 |
As stated earlier, in [6] it is recommended to use elliptic curves with large CM discriminant and particularly discriminants up to 1013 (see [22]). However, a very large discriminant would affect the efficiency of the CM method. In our examples we have considered CM discriminants D<2,000,000. We argue though that if we increase the values of D, more examples can be found.
In Tables 10–13 we give our numerical examples obtained by the sparse families of Section 3 and the solutions of their corresponding Pell equations. In all cases we are aiming at a security level of at least 128-bits in all three groups 𝔾1,𝔾2 and 𝔾T. This corresponds to primes r with logr≥256-bits.
In Tables 10 and 11 we present pairing-friendly parameters with ρ<2 obtained by cyclotomic and non-cyclotomic sparse families, respectively. In Tables 12 and 13 we present examples of suitable parameters with ρ≈2 from cyclotomic and non-cyclotomic families of Section 3. In each table the integer x0 refers to the input of the polynomials q(x),t(x) and r(x). In particular, recall that x0 satisfies the coordinate X of the solution (X,Y) of a generalized Pell equation
X2-SDY2=T with X=Ax+B
and thus x0=1A(X-B). In addition, each x0 satisfies the congruential restrictions of Tables 2–7, which guarantee that the values q(x0),t(x0) and r(x0) are integers.
Table 13
Pairing-friendly parameters from non-cyclotomic sparse families of Table 9 with ρ≈2.
| k | Family | D | x0 | n | logr | klogq | ρ |
| 5 | 1 | 147,043 | 1449816386918385097300≡7mod11 | 301,081 | 262 | 2,805 | 2.1412 |
| 8 | 2 | 305 | 1711586296790372515238≡86mod102 | 1,224 | 271 | 4,408 | 2.0332 |
| 8 | 3 | 69,529 | 408965132519053609196721≡27mod102 | 314,568 | 295 | 4,920 | 2.0847 |
| | 100,622 | -12402082704006889591707≡75mod102 | 500,616 | 274 | 4,600 | 2.0985 |
| | 335,435 | -8089098234829878879363≡87mod102 | 1,224 | 280 | 4,560 | 2.0357 |
| | 394,494 | -151681344721452118821020325699≡87mod102 | 1,224 | 377 | 6,104 | 2.0239 |
| 10 | 5 | 90,041 | -56916071623566481769998≡17mod33 | 188,001 | 284 | 5,880 | 2.0704 |
| | 491,801 | -3173877699980797150023780052≡23mod33 | 669,141 | 346 | 7,140 | 2.0636 |
| 12 | 7 | 2,267 | -2715052003257625720577287≡23mod30 | 24,525 | 310 | 7,620 | 2.0484 |
| | 29,307 | -34602764635774626039735847≡23mod30 | 225 | 331 | 7,968 | 2.0060 |
| | 66,693 | 9935241697835439994862312794733≡23mod30 | 2,925 | 400 | 9,708 | 2.0225 |
| | 69,883 | -622764173102421882117788854333207≡23mod30 | 225 | 427 | 10,284 | 2.0070 |
| 12 | 8 | 3,459 | 11998181924983032261123≡3mod30 | 852,925 | 273 | 6,912 | 2.1099 |
| 3,497 | 26857090581197349482939475003≡3mod30 | 25 | 373 | 8,928 | 1.9946 |
| 6,715 | 18538845875409027009412651276803≡3mod30 | 17,725 | 401 | 9,840 | 2.0449 |
| 10,127 | 1132518462253070912433≡3mod30 | 25 | 275 | 6,576 | 1.9927 |
| 10,187 | 499802294134513962222029124003≡3mod30 | 25 | 389 | 9,336 | 2.0000 |
| 10,442 | 1813086331321371689943163443≡3mod30 | 25 | 357 | 8,556 | 1.9972 |
| 23,865 | 26629569113080985777209787820003≡3mod30 | 304,525 | 399 | 9,888 | 2.0652 |
| 25,853 | 725331800104216002019810209402243≡3mod30 | 2,725 | 425 | 10,344 | 2.0282 |
| 34,770 | 6054607261460072436710403≡3mod30 | 322,825 | 310 | 7,764 | 2.0871 |
| 88,842 | 3127909422825578669091843≡3mod30 | 25 | 320 | 7,680 | 2.0000 |
The integer n denotes the small factor of r(x0), in which case we set the prime r as r=1nr(x0). In our experiments, this small factor is taken to be up to 10,000, or even larger (106) in some examples. Finally, logr and klogq refer to the size of the prime r and the size extension field 𝔽qk, respectively. The pairing-friendly parameters presented in Tables 12 and 13 are the first examples obtained from sparse families for various embedding degrees with ρ≈2. The examples of Table 13 are produced from effective sparse families and this is why it contains more examples than the others. Particularly the examples obtained by Family 8 of Table 9 are more than any other sparse family we examined. Notice that we have found ten examples of pairing-friendly parameters in this case for Dmax=100,000.
Remark 4.
Using the value x0 in Tables 10–13, we can extract the elliptic curve parameters q,t and r in the following way: we find the corresponding sparse family in Tables 2–9, indicated in the second column, and evaluate the polynomials t(x) and r(x) at x0. Then we set t=t(x0) and r=1nr(x0), where n is given in the fifth column of Tables 10–13. For the prime q we set
q=q(x0)=14[t(x0)2+g(x0)y(x0)2].
In some cases the value y(x0) is not an integer, thus it might contain a factor 1s. This does not affect the elliptic curve parameters (q,t,r) since in all such examples s2 divides g(x0) and hence g(x0)y(x0)2 is always an integer in our examples. Alternatively, recall that we want g(x0)y(x0)2=DY2, for some square-free CM discriminant D>0, which is given in the third column of Tables 10–13 and an integer Y. In all of our examples we have that g(x0)y(x0)2D=Y2, i.e. a perfect square integer, where y(x0) is not necessarily an integer.
The results in these tables justify our claim that sparse families with ρ(q,t,r)=2 are likely to offer a nice balance between the security levels in the three defining groups of a pairing. For instance, suppose that k=8, ρ(q,t,r)=1.5 and logr=256. A simple calculation using equation (4.4) shows that the asymptotic complexity of the DLP in 𝔽q8 is Lq8[13,1.526]≈110-bits. If we choose a family with ρ(q,t,r)=2, then this complexity increases to approximately 124-bits, which is very close to the intended security level. On the other hand, for prime embedding degrees, consider a sparse family with k=5 and ρ(q,t,r)=1.5. For an 128-bit security level such families are invalid, since the complexity of the DLP in 𝔽q5 is Lq5[13,1.923]≈114-bits. However, choosing a family with ρ(q,t,r)=2, we obtain a security level of 128-bits in the target group.
Analogous conclusions can be made for other embedding degrees and higher security levels as well. For example Freeman’s family for k=10 and ρ(q,t,r)=1 was considered to be one of the ideal examples for implementations, since it was designed to offer a 128-bit security level in 𝔾1,𝔾2 and 𝔾T, with logr=logq=256-bits. For a 256-bit prime r, this family corresponds to an extension field of size 10logq=2,560. Nowadays, since k=10 is composite, the complexity of the DLP in 𝔽q10 is Lq10[13,1.526]≈102-bits, far from the ideal case. In order to increase the security level in the extension field, when k=10, we need to consider families with ρ(q,t,r)≥1.5. More precisely, a family with ρ(q,t,r)=1.5 results in Lq10[13,1.526]≈121-bits, but if we allow a relatively small cofactor n we will achieve a 128-bits security level.
The final example describes how the first entry in Table 10 is extracted. All examples in Tables 10–13 are produced in the same manner.
Example 2.
Let us consider the sparse family of Example 1 for k=8. Recall that g(x)=14x2-20x+14. Setting DY2=g(x), we can construct the corresponding generalized Pell equation by multiplying by 14 and completing the squares, in which case we obtain
X2-14DY2=-96,where X=14x-10.
Solving this equation for D=1 up to some bound Dmax, we get that for D=13557 the pair
(X,Y)=(15583259296178186970524304,35769468027929990781812)
is a solution for the above generalized Pell equation, for which
X=15583259296178186970524304=14⋅1113089949727013355037451-10.
Thus we set x0=1113089949727013355037451 and since x0≡1mod2, we evaluate the sparse family at x0, where we obtain
t(x0)=-1379084204816568967933565988445878273074793788662578724629722098991244850,
y(x0)=22158635240623429255980388671224235145707357764136130917507889201547424,
r(x0)=34×45148375535546851220441313205535640794971749131498385771772024669829
862187278745767097241644553,
q(x0)=213960739947136689034610442989168775540567702119257861043429595757767560
4025877858790410611192643075676809571228408106790542831484411761383384433.
Note that here r(x0) is nearly prime, i.e. it contains a small factor n=34. Thus, the prime dividing the order of the curve is r=134r(x0). The size of the prime r is logr=314-bits and the base prime is q=q(x0) with logq=479-bits, producing an extension field of size 8logq=3832-bits. Finally, the trace of Frobenius is t=t(x0) and for these parameters we have ρ=1.5255.
