Let be an elliptic curve defined over a field .
Let be a prime dividing . The subgroup
of the group of points of of order can be used
for cryptography provided it is sufficiently large.
Now define the embedding degree (with respect to ) as the smallest
positive integer such that divides .
For pairing-based cryptography, we require curves with low embedding degrees.
Supersingular curves provide six families of curves with
embedding degree at most 6 [MOV]. Let and let be the
embedding degree. Then the six classes are:
-
: and
-
: and
(and )
-
: (and is even)
-
: (and and is odd)
-
: (and and is odd)
-
: (and is even)
[TODO: more on supersingular curves, link to examples in pairing.html page.
(Separate page for this?)]
MNT curves
are an alternative to supersingular curves. They have the
advantage of using fields of high characteristic when
thus are safe from the
Coppersmith attack. They use the complex multiplication (CM)
method of generating elliptic curves.
Curve Orders
and . See p.105 of Blake, Seroussi and Smart.