Isolated elliptic curves and the MOV attack

Travis Scholl

doi:10.1515/jmc-2016-0053

Artikel Open Access

Isolated elliptic curves and the MOV attack

Travis Scholl

Veröffentlicht/Copyright: 11. Mai 2017

Veröffentlicht von

Veröffentlichen auch Sie bei De Gruyter Brill

Manuskript einreichen Informationen für Autor*innen

Aus der Zeitschrift Journal of Mathematical Cryptology Band 11 Heft 3

Abstract

We present a variation on the CM method that produces elliptic curves over prime fields with nearly prime order that do not admit many efficiently computable isogenies. Assuming the Bateman–Horn conjecture, we prove that elliptic curves produced this way almost always have a large embedding degree, and thus are resistant to the MOV attack on the ECDLP.

Keywords: Elliptic curves; isogenies; isolated curves; embedding degree; cryptography; distribution of primes

MSC 2010: 11G20; 94A60; 14H52; 14K02

1 Introduction

The security of elliptic curve cryptosystems is based on the difficulty of the elliptic curve discrete logarithm problem (ECDLP). For an elliptic curve E over a prime field 𝔽p, the best known generic attack on the ECDLP takes roughly p operations. Suppose that a new algorithm 𝒳 was found that could solve the ECDLP on a subset W of elliptic curves over 𝔽p faster than all previously known algorithms. Given an instance of the ECDLP on E, if an attacker could construct an isogeny φ:E→E′ with E′∈W, then they could transfer the instance to E′ where they could use 𝒳. The total time for this attack is bounded below by the time m that it takes to compute φ. If m≥p, then this attack is no faster than generic algorithms, no matter how fast 𝒳 is. Let 𝒯 denote the set of curves E′ such that an isogeny φ:E→E′ can be computed in less than p time. We will assume that the probability that a random curve in 𝒯 lies in W, is roughly the ratio ϵ of |W| to the number of elliptic curves over 𝔽p. For a random E, we expect that |𝒯|≈p, which in practice is ≈2128. However, it is possible for |𝒯| to be much smaller, so that E is resistant to this attack. For example, if ϵ≈2-50 and |𝒯|≤1000, then the probability that the ECDLP on E can be efficiently transferred to some E′∈W is about 2-40. In this case, we call E isolated (a precise definition is given below). In this paper, we give an algorithm based on the complex multiplication (CM) method to generate isolated elliptic curves that are suitable for cryptography.

Remark 1.

The hypothetical attack outlined above is motivated by the case of elliptic curves over composite degree extensions of prime fields (usually 𝔽2). In that case, Weil descent can sometimes be used to solve the ECDLP significantly faster than generic methods on a small but non-negligible proportion of curves [27, 26].

The conductor gap (see Definition 1) between two elliptic curves measures the difficulty of constructing an isogeny between them. If the conductor gap between E and E′ is L, then the fastest known algorithm for computing an isogeny between E and E′ takes roughly L3 time. We say an elliptic curve E is (L,T)-isolated if there are at most T curves whose conductor gap with E is at most L. For example, if E is (p1/6,1000)-isolated, then there are at most 1000 curves E′ for which it would be feasible to construct an isogeny E→E′. Thus E is most likely resistant to the hypothetical attack described above.

In addition to being resistant to the hypothetical attack above, isolated curves should be resistant to known attacks on the ECDLP, such as the MOV attack, named after the authors of [25]. The MOV attack reduces the ECDLP on an elliptic curve E/𝔽p to 𝔽pk×. The smallest possible k is called the embedding degree. This reduction is only practical if k is <log2⁡p. Our main theorem shows that, under the Bateman–Horn conjecture, curves produced by our algorithm almost always have embedding degree larger than log2⁡p.

Theorem 2.

Assume the Bateman–Horn conjecture. There is an algorithm that takes as input a bound M, and returns an elliptic curve E over a prime field Fp such that the following hold:

M/2≤p≤M,
#⁢E⁢(𝔽p)=r⁢f, where r is prime and f∣24,
E is (p/50-100,8)-isolated.

The expected running time of the algorithm is O⁢(log3⁡M) multiplied by the time required to test if an integer of size M is prime. If M is sufficiently large, then the probability that the returned curve has an embedding degree less than log2⁡p, is bounded above by

C⁢log8⁡MM

for some effectively computable constant C.

Remark 3.

The Bateman–Horn conjecture is used to estimate how often several polynomials are simultaneously prime. While the conjecture gives an asymptotic formula for any collection of polynomials, we only require a big-Ω statement for how often three particular polynomials are simultaneously prime (see Problem 2).

Remark 4.

Experimentally, our algorithm works well when M≈2256. After several thousand iterations, it never produced a curve with embedding degree >log2⁡p and finished within the expected time (see Section 6.4). However, we are unable prove an explicit lower bound for what “sufficiently large” is, nor can we give a computable upper bound for the implicit constant in the big-O notation for the run time. In Section 6, we discuss these points as well as provide a reasonable assumption to solves these issues.

Theorem 2 should be compared with the generic probability that a curve with prime order has embedding degree <log2⁡p.

Theorem 5 (Balasubramanian and Koblitz [1, Theorem 2]).

Let p be a uniformly random prime in the interval [M/2,M], and E a random elliptic curve over Fp of prime order. The probability that the embedding degree of E is less than log2⁡p, is bounded above by

C⁢log9⁡M⁢(log⁡log⁡M)2M,

for some effectively computable constant C.

Remark 6.

When giving a conditional theorem in cryptography, it is important to avoid contrived conjectures that are custom built to fill gaps in security proofs [21], [19, Section 1.4.2]. The Bateman–Horn conjecture is of independent interest. It predates elliptic curve cryptography, and is a generalization of the well-known hypothesis H from Schinzel [31]. It is supported by substantial theoretical and numerical evidence. For this reason we feel that the use of the conjecture is justified.

The rest of the paper is organized as follows. In Section 2 we briefly review background material as well as set notation for the rest of the paper. In Section 3 we define isolated curves, and in Section 4 we outline a method for generating them. In Section 5 we show that our algorithm has a high probability of producing curves that are resistant to the MOV attack, and prove Theorem 2. In Section 6, we explain some limitations of our results and give some heuristics suggesting that these limitations do not appear in practice.

2 Background and notation

Let E be an elliptic curve over a prime field 𝔽p. We will primarily consider primes on the order of 2256. Let N=|E⁢(𝔽p)| be the number of points, and t=p+1-N. If t≡0modp then E is vulnerable to the MOV attack [25], so we will only consider the case when t≢0modp. In this case E is called ordinary.

An isogeny is a surjective morphism of elliptic curves with finite kernel. The set of isogenies E→E defined over the algebraic closure 𝔽¯p of 𝔽p, together with the 0 map form the endomorphism ringEnd⁡E=End𝔽¯p⁡E. If E is ordinary then End⁡E is isomorphic to an order in an imaginary quadratic field K.

Let π∈End⁡E denote the Frobenius endomorphism, which on the level of points takes (x,y)↦(xp,yp). We identify π with an element of K. Then Tr⁡π=t and Norm⁡(π)=p [34, Chapter V]. This means that we can identify π=t+c⁢-d2, where -d=Disc⁡K and c>0. Notice that ℤ⁢[π] is the order in K of conductor c, and that

(2.1)4⁢p=t2+d⁢c2.

Given an elliptic curve E, there is an associated number j⁢(E) which determines the isomorphism type of E over 𝔽¯p. j⁢(E) is called the j-invariant of E. Throughout the rest of the paper, unless otherwise noted, E will represent an ordinary elliptic curve over the prime field 𝔽p.

2.1 Isogeny classes

Definition 1.

The isogeny classI of E is the set of isomorphism classes (over 𝔽p) of elliptic curves that are isogenous (over 𝔽p) to E.

The isogeny class of E is uniquely determined by N=#⁢E⁢(𝔽p). This follows from Tate’s isogeny theorem, which says that two elliptic curves over 𝔽p are isogenous if and only if they have the same number of points [34, Exercise. 5.4]. For every integer N in the Hasse interval [p+1-2⁢p,p+1+2⁢p], there is an elliptic curve with N points. Thus by Tate’s thereof, there are about 4⁢p isogeny classes. One can show using the j-invariant that there are roughly 2⁢p isomorphism classes of elliptic curves over 𝔽p. This means that on average, each isogeny class has about p/2 curves.

An ℓ-isogeny is an isogeny of degree ℓ. We will only consider ℓ-isogenies with ℓ a prime other than p. Such isogenies are separable and have a kernel of size ℓ. Any separable isogeny between elliptic curves factors into a composition of isogenies of prime degree.

2.2 Endomorphism classes

The isogeny class I of E can be partitioned into endomorphism classes. Let I𝒪 denote the set of curves in I whose endomorphism ring is isomorphic to 𝒪, an order in an imaginary quadratic field. We call I𝒪 the endomorphism class of 𝒪 in I.

Proposition 2.

The endomorphism classes in I are precisely those associated to orders in the quadratic imaginary field Q⁢(π) that contain Z⁢[π]. For any O⊇Z⁢[π], the size of IO is equal to the class number h⁢(O).

Proof.

See Theorems 4.3 and 4.5 from [32]. ∎

Endomorphism classes have O⁢(p⁢log⁡d) curves. To see this, let c′ be the conductor of an order appearing in I. Recall that the class number of an order of conductor c′ is approximately h⁢c′ (see [9, Theorem 7.24] for a precise formula). The class number h is bounded above by 1π⁢d⁢log⁡d [6, Excercise 5.27 b]. We also know that c′ divides c because every order appearing in I contains the Frobenius ring ℤ⁢[π]. It follows from (2.1) that h⁢c′≤h⁢c≤cπ⁢d⁢log⁡d<2π⁢p⁢log⁡d.

For a random curve E over 𝔽p for a random prime p, we expect that c is close to 1 [16, Sec. 6]. Because the endomorphism classes in I correspond to divisors of c, we do not expect to find many endomorphism classes. Thus on average, we should expect that IEnd⁡E usually has roughly p curves.

2.3 Bateman–Horn conjecture

We will be interested in how often several polynomials are simultaneously prime. For a single polynomial of degree one, we have the prime number theorem and Dirichlet’s theorem on primes in arithmetic progressions. Bateman and Horn made the following conjecture based on heuristics derived from the prime number theorem.

Definition 3.

We say that a polynomial f∈ℤ⁢[x] satisfies Bunyakovsky’s property if gcda∈ℤ⁡f⁢(a)=1.

Warning 1.

In order for f to satisfy Bunyakovsky’s property, it is necessary that the coefficients of f are relatively prime. This condition is not sufficient, for example gcda∈ℤ⁡(a2+a)=2.

Conjecture 4 (Bateman–Horn Conjecture [2]).

Let f1,…,fk∈ℤ⁢[x] be distinct irreducible polynomials such that their product ∏fi satisfies Bunyakovsky’s property. Let

Pf1,…,fk⁢(N)={a∈ℤ:1≤a≤N⁢ and ⁢fi⁢(a)⁢ is prime for all i=1,…,k}.

Then

(2.2)|Pf1,…,fk⁢(N)|∼CD⁢Nlogk⁡N.

Here D=∏deg⁡fi, C=∏ℓ⁢ prime1-ω⁢(ℓ)/ℓ(1-1/ℓ)k, and ω⁢(ℓ) denotes the number of roots of ∏fi in 𝔽ℓ.

Remark 5.

There is a large amount of theoretical and numerical evidence for the Bateman–Horn conjecture. It reduces to Dirichlet’s theorem on primes in arithmetic progressions for a single polynomial of degree 1. It also agrees with the twin prime conjecture and the Sophie Germain prime conjecture [33, Section 5.5]. More recently, an analog of the conjecture has been proven for function fields [10].

2.4 The MOV attack

The MOV attack transfers a discrete log from E⁢(𝔽p) to 𝔽pk× for some positive integer k. The idea is to leverage sub-exponential time algorithms for solving discrete logs in the multiplicative group of a finite field. A necessary condition for this transfer is that |E⁢(𝔽p)| divides pk-1. The smallest possible k is called the embedding degree^[1] of E. This is the same as the multiplicative order of p in (ℤ/N⁢ℤ)×, where N=|E⁢(𝔽p)|. For more on the MOV attack see [25]^[2] or [34, Section XI.6].

If k>log2⁡p, then the MOV attack will not be faster than trying to solve the discrete log on E directly [1]. Therefore we are primarily interested in curves with embedding degree >log2⁡p.

3 Isolated curves

Definition 1.

The conductor gap of two orders in a fixed quadratic imaginary field is the largest prime dividing the conductor of one and not the other. The conductor gap between two isogenous elliptic curves is defined to be the conductor gap of their endomorphism rings. If the curves are not isogenous, then their conductor gap is ∞. The L-conductor-gap class of a curve E is the set of all curves E′ such that the conductor gap between E and E′ is less than L.

Proposition 2.

Let φ:E→E′ be an ℓ-isogeny for some prime ℓ. If O and O′ are the endomorphism rings of E and E′, respectively, then one of the following holds:

[𝒪:𝒪′]=ℓ,[𝒪′:𝒪]=ℓ,𝒪=𝒪′.

Proof.

See [22, Proposition 21]. ∎

In the first two cases of Proposition 2, we say that φ is vertical; otherwise φ is horizontal. Horizontal isogenies stay inside the same endomorphism class while vertical ones move to a new class. The main implication of Proposition 2 is that if two endomorphism classes have conductor gap a prime ℓ, then any isogeny between them factors through an ℓ-isogeny. Unless otherwise noted, throughout the rest of the paper ℓ will denote a prime not equal to p.

Definition 3.

Let E be an elliptic curve over 𝔽p. We will say E is isolated with gap L and set-size T, or (L,T)-isolated, if the L-conductor-gap class of E has at most T curves.

Remark 4.

The observation that isolated curves are resistant to isogeny based attacks has been noted before in the literature. This idea is discussed in [20, Section 11.2], [17, Section 7.1], and [26, Remark 6]. This idea has also been applied to Jacobians of curves of genus 2, cf. [37].

3.1 Computational complexity of isogenies

The computational complexity of an isogeny depends on its degree, but the complexity is different for horizontal and vertical isogenies. The fastest known method [22] for constructing a vertical isogeny from E involves constructing the modular polynomial Φℓ. Finding Φℓmodp is the most expensive step and the best known methods take O~⁢(ℓ3) time and O~⁢(ℓ2) space [4] (recall that O~⁢(f) means O⁢(f⁢logk⁡f) for some integer k); Φℓ is a polynomial of degree ℓ+1 in two variables, so any method which involves computing Φℓ must take Ω⁢(ℓ) time and space. Moreover, because we represent ℓ-isogenies using either polynomials of degree ℓ, or a list of points in the kernel; any algorithm which computes an ℓ-isogeny will need at least Ω⁢(ℓ) space.

For horizontal isogenies where the endomorphism ring has a small discriminant, there are much faster algorithms which are polynomial in log⁡ℓ, cf. [3, 18]. These methods do not extend to vertical isogenies crossing a large conductor gap. Therefore we can only effectively transport the ECDLP to another endomorphism class when the conductor gap is less than p1/6.

The best algorithm known for solving the ECDLP on a general elliptic curve takes O~⁢(p) time [28]. If ℓ≥p1/6, then computing a vertical ℓ-isogeny takes similar time to solving the ECDLP. If two endomorphism classes have a conductor gap of at least p1/6, then there is no significant benefit in transferring the ECDLP across the gap.

3.2 Examples

Example 5.

Let E be the elliptic curve y2=x3+6⁢x over 𝔽p, where p=12475737285765000161≈263.4. Note that End⁡E≅ℤ⁢[i] has class number 1, so E is the only curve in its endomorphism class. The Frobenius endomorphism π generates an order ℤ⁢[π] with prime conductor c=2559154831≈231.2. This means that the isogeny class of E has two endomorphism classes: one which contains only E, and another which contains h⁢(ℤ⁢[π])=1279577416≈230.2 curves. Because the conductor gap between the classes is c≈p, this shows that E is isolated with gap 231 and set-size 1.

Example 6.

Let E be the elliptic curve y2=x3+350⁢x over 𝔽p, where p=122501. As in the previous example, the endomorphism class of E has only one curve. However, in this case ℤ⁢[π] has conductor 1, so the isogeny class of E contains only E, and E is (∞,1)-isolated. This example is highly atypical because the trace t=700=⌊2⁢p⌋ is at the extreme end of the Hasse bound.

4 Generating isolated curves

In this section we give an algorithm to generate isolated elliptic curves. We will apply some slight modifications to the algorithm presented here in order to prove Theorem 2. For use in cryptography, we would like to generate prime ordered curves. However there are some basic obstructions to a curve having prime order. For example, consider equation (2.1). In order for p to be an odd prime, if d is even then t must be even. It follows that N=p+1-t is also even. In this case, the choice of d forced a factor of 2 to divide N. Fortunately, the only obstructions to N being prime are a few factors of 2 and 3.

For any integer a≡0,3,4mod8, define^[3] the cofactor to be

(4.1)cofa=2ν2⋅3ν3,

where

ν2={0if a≡3,11,19,27mod32,1if a≡4,8,20,24mod32,2if a≡0,12,16mod32,3if a≡28mod32,

ν3={0if a≢2mod3,1if a≡2mod3.

The algorithm proceeds as follows.

Algorithm 1 (Isolated curve.).

Remark 1.

Algorithm 1 is not optimized for efficiency. For example, if d≡0mod4, then t must be even. Thus by choosing only even values of t in Step 2, we expect the runtime to be reduced by a factor of 2. We present the unoptimized version for simplicity.

Remark 2.

The reason for removing 0,1,2 from possible values of t is to avoid the attacks described in [35], [25], and [12].

Remark 3.

One drawback^[4] of using the CM method is that we do not have full control over the prime p. That is, we can not choose p arbitrarily and then construct an isolated curve over 𝔽p. This makes it more difficult to find p with special properties, such as a small Hamming weight (which can lead to more efficient implementations). However, we can lower the Hamming weight of p with the following modifications. Instead of choosing c randomly, fix c to be a large prime of small Hamming weight. Also, restrict the search for t to integers with small Hamming weight. Because p is given by a simple expression in t and c, the resulting value of p will likely have small Hamming weight.

First we will explain the last steps of the algorithm. The following facts are the basis of the well-known CM method [7, Section 18.1]:

The Hilbert class polynomial of K=ℚ⁢(-d) has a root in 𝔽p by construction.
There exists an elliptic curve E/𝔽p with N points and j⁢(E)=j.

An efficient algorithm for finding E, given j and N can be found in [30]. Since j⁢(E) is a root of the Hilbert class polynomial mod p, it follows that End⁡E≅𝒪K, cf. [36, Section 2.8]. If the choice of d is bounded by a constant, then Steps 7 and 8 in the algorithm have a running time of O⁢(1). The main factor in the running time comes from the loop in Steps 2 through 5.

Proposition 4.

If the main loop of Algorithm 1 terminates, then the curve E returned by the algorithm is isolated with gap M2 and set-size 1π⁢d⁢log⁡d.

Proof.

We are assuming p,c,N/cofd⁢c2 are prime and we want to show that E is isolated. Let K=ℚ⁢(-d). By the explanation above, End⁡E≅𝒪K. Let π∈End⁡E denote the Frobenius endomorphism of E. In 𝒪K, π corresponds (up to conjugation) to t+c⁢-d2. We also know that c=[𝒪K:ℤ[π]]. Because c was chosen to be prime, there are two endomorphism classes in the isogeny class of E corresponding to 𝒪K and ℤ⁢[π]. The endomorphism class of 𝒪K contains h⁢(𝒪K)≤1π⁢d⁢log⁡d curves. Therefore, E is isolated with gap c≥M2 and set-size 1π⁢d⁢log⁡d. ∎

Remark 5.

It is easy to alter Algorithm 1 to produce curves that are (∞,1)-isolated, meaning that the entire isogeny class contains a single curve, similar to Example 6. To do this, we choose d such that ℚ⁢(-d) has class number 1, and fix c=1. However, we do not know how to prove that curves generated this way usually have an embedding degree >log2⁡p. This is because there are too few values of t such that p and N/cofd are simultaneously prime. Even though the Bateman–Horn conjecture gives an asymptotic formula, it is not enough to prove a bound on the embedding degree using the methods in Section 5.

5 Improbability of the MOV attack on isolated curves

5.1 Notation

In [1], Balasubramanian and Koblitz proved that a random prime order elliptic curve over a random prime field almost always has a large embedding degree. Their work has been extended in several ways [8, 24]. We want to emulate the main theorem of [1] for isolated curves. The main difference is that in [1], the authors were able to vary the prime and the number of points subject only to the Hasse bound. There is less flexibility in our case due to restrictions on the conductor c and the discriminant d.

We will use the following notation:

-d is a fixed small (<100) fundamental discriminant of a quadratic imaginary field,
p=p⁢(t,c)=t2+d⁢c24,
N=N⁢(t,c)=p+1-t,
cof=cof⁡(c)=cofc⁢d2 as defined in Section 4,
r=r⁢(t,c)=Ncof.

Remark 1.

Note that r is not a polynomial in t,c because cof⁡(c) depends only on the valuation of d⁢c2 at 2 and 3. We will apply a linear change of variables in c in order to fix the cofactor.

Define the following sets:

SM={(t,c)∈[1,M]×[M/2,M]:p,r,c are prime},

SM,K={(t,c)∈SM:the order of p in (ℤ/r⁢ℤ)× is at most K},

SM⁢(t)={c:(t,c)∈SM},

SM,K⁢(t)={c∈SM⁢(t):(t,c)∈SM,K}.

The set SM represents possible pairs t,c that Algorithm 1 could use to generate an isolated curve. In particular, the expected number of pairs t,c sampled by Algorithm 1 is |SM|M. The set SM,K represents those pairs which result in a curve with embedding degree at most K. The sets SM⁢(t) and SM,K⁢(t) represent pairs with a fixed t value.

5.2 Main results

Our goal for this subsection is to find an upper bound for SM,K⁢(t0)SM⁢(t0) for a fixed integer t0. This is roughly the probability that Algorithm 1 returns a curve with embedding degree at most K given that t=t0.

First we give an upper bound for SM,K⁢(t0).

Proposition 2.

Let K,M be any positive integers. Then there is a universal constant A1 such that for any integer t0 with |t0|>1,

|SM,K⁢(t0)|<𝒜1⁢K2⁢log⁡|t0|.

Proof.

Let Lk={primes ℓ:ℓ∣(t0-1)k-1}. By construction

r∣pk-1⇔r∣(p-N)k-1=(t0-1)k-1.

Hence there is a map φ:SM,K⁢(t0)→⋃k=1KLk given by c↦r⁢(t0,c).

Next we will show that |φ-1⁢(ℓ)|≤16. Note that N⁢(t0,c) is a quadratic polynomial in c, so there are at most two values of c such that N⁢(t0,c) is the same. There are eight possible values of cofc, hence there are at most sixteen values of c which could give the same value of r⁢(t0,c). Therefore

|SM,K⁢(t0)|=|φ-1⁢(⋃k=1KLk)|≤16⁢|⋃k=1KLk|.

It remains to bound the Lk. The number of prime divisors of (t0-1)k-1 is bounded by log2⁡|t0-1|k≤k⁢log2⁡(|t0|+1). Hence

|⋃k=1KLk|≤∑k=1K|Lk|≤∑k=1Kk⁢log2⁡(|t0|+1)=K⁢(K+1)2⁢log2⁡(|t0|+1)≤2.4⁢K2⁢log⁡(|t0|).

The last inequality holds for all |t0|≥2, so we may take 𝒜1=2.4. ∎

Next we will to bound SM⁢(t0) from below. Because t0 is fixed, we will be able to apply the Bateman–Horn conjecture. However, in order to apply the conjecture, we first need a change of coordinates which makes p and r into polynomials satisfying Bunyakovsky’s property.

Lemma 3.

Let -d be a fundamental discriminant for a quadratic imaginary field such that d<100. Then there are computable constants m1,b1,m2,b2∈Z≥0 such that the linear change of variables t′=t′⁢(t)=m1⁢t+b1 and c′=c′⁢(c)=m2⁢c+b2 satisfy:

fd⁢(c′)2 is constant as a function of c.
p′=p⁢(t′,c′) and r′=r⁢(t′,c′) are integer polynomials in t and c.
For any t∈ℤ, the product p′⋅r′⋅c′/gcd⁢(m2,b2) satisfies Bunyakovsky’s property as a polynomial in c.

Remark 4.

In condition (iii) of Lemma 3, we include c′/gcd⁢(m2,b2) rather than just c′ because of the case d≡7mod8. In this case, p=t2+d⁢c24 is an odd integer only if t and c are even. In particular, we cannot have both c′ and p′ simultaneously prime when d≡7mod8.

Proof of Lemma 3.

We will prove the claim in detail for d=4 by showing t′=3840⁢t and c′=2⁢c+1 satisfy properties (i)–(iii). The other cases are similar, and the corresponding change of coordinates are given in Table 1.

Table 1

Choices of t′,c′ in Lemma 3 found using Sage [38].

d	t′	c′	d	t′	c′
3	2160⁢t+1	2⁢c+1	51	624240⁢t+1	2⁢c+1
4	3840⁢t	2⁢c+1	52	648960⁢t+4	2⁢c+1
7	94080⁢t+10	4⁢c	55	5808000⁢t+18	4⁢c
8	46080⁢t+6	6⁢c+1	56	2257920⁢t+6	6⁢c+1
11	87120⁢t+15	6⁢c+1	59	2506320⁢t+15	6⁢c+1
15	432000⁢t+34	4⁢c	67	1077360⁢t+1	2⁢c+1
19	86640⁢t+1	2⁢c+1	68	3329280⁢t+12	6⁢c+1
20	288000⁢t+24	6⁢c+1	71	783976320⁢t+10	12⁢c
23	82270080⁢t+10	12⁢c	79	11982720⁢t+10	4⁢c
24	138240⁢t+10	2⁢c+1	83	4960080⁢t+3	6⁢c+1
31	1845120⁢t+10	4⁢c	84	1693440⁢t+40	2⁢c+1
35	882000⁢t+3	6⁢c+1	87	14532480⁢t+10	4⁢c
39	2920320⁢t+10	4⁢c	88	1858560⁢t+6	2⁢c+1
40	384000⁢t+6	2⁢c+1	91	1987440⁢t+1	2⁢c+1
43	443760⁢t+1	2⁢c+1	95	1403568000⁢t+34	12⁢c
47	343543680⁢t+10	12⁢c

(i) For any c, we have that d⁢(c′)2≡4mod32 and d⁢(c′)2≢2mod3. Hence cofd⁢(c′)2=2 for all c.

(ii) To show p′ and r′ are integer polynomials, we just have to expand out the definitions:

p′=p⁢(t′,c′)=3686400⁢t2+4⁢c2+4⁢c+1,

r′=r⁢(t′,c′)=N⁢(t′,c′)2=1843200⁢t2+2⁢c2-1920⁢t+2⁢c+1.

(iii) Let g⁢(t,c)=p′⋅r′⋅c′∈ℤ⁢[t,c] and t0∈ℤ. To show that g⁢(t0,c)∈ℤ⁢[c] satisfies Bunyakovsky’s property, it is sufficient to check that gcd⁡{g⁢(t0,0),…,g⁢(t0,5)}=1 as g⁢(t0,c) is a degree 5 polynomial in c.^[5] A direct computation^[6] shows that

3⁢g⁢(t,0)+4⁢g⁢(t,1)+17⁢g⁢(t,2)-36⁢g⁢(t,3)+23⁢g⁢(t,4)-5⁢g⁢(t,5)=960.

Therefore

gcd⁡{g⁢(t0,0),…,g⁢(t0,5)}=gcd⁡{g⁢(t0,0),…,g⁢(t0,5),960}

=gcd⁡{g⁢(0,0),g⁢(0,1),…,g⁢(0,5)}=1.

The second to last equality follows from the fact that t′≡0mod960 by construction. The last equality follows from the fact that g⁢(0,0)=1. ∎

Remark 5.

We expect Lemma 3 to hold for all d with many different possibilities for mi,bi.

Proposition 6.

Assume the Bateman–Horn conjecture and that d<100 and d≢7mod8. Let m1,b1 be the constants from Lemma 3. For any integer t0, there are constants A2,B2 such that for all M>B2,

|SM⁢(m1⁢t0+b1)|>𝒜2⁢Mlog3⁡M.

The constants A2,B2 depend on t0. Moreover, the constant A2 is effectively computable.

Proof.

Let t′⁢(t)=m1⁢t+b1 and c′⁢(c)=m2⁢c+b2 be the change of coordinates given by Lemma 3. Then p′=p⁢(t′⁢(t0),c′), r′=r⁢(t′⁢(t0),c′), and c′ are integer polynomials in ℤ⁢[t,c], and satisfy Bunyakovsky’s property. Moreover, p′ and r′ are irreducible because their roots are linear combinations of the roots of p⁢(t0,c) and N⁢(t0,c), respectively. The latter are complex as long as t′⁢(t0)≠0,2. Thus p′, r′, and c′ satisfy the hypothesis of the Bateman–Horn conjecture as polynomials in ℤ⁢[c].

Let SM′⁢(t0) denote the set of c0 such that c′⁢(c0)∈SM⁢(t′⁢(t0)), and

Pp′,r′,c′⁢(M)={c0∈[1,M]:p′⁢(c0), r′⁢(c0), and c′⁢(c0) are prime}.

By above, we can apply the Bateman–Horn conjecture to the polynomials p′, r′, and c′. This means that there is a constant 𝒞, depending on the polynomials p′, r′, and c′ (which depend only on d and t0), such that

|Pp′,r′,c′⁢(M)|∼𝒞⁢Mlog3⁡M.

Notice that SM′⁢(t0)=Pp′,r′,c′⁢(M)∩J⁢(M), where J⁢(M)=[1m1⁢(12⁢M-b1),1m1⁢(M-b1)]. We will assume M≫max⁡{m12,16⁢b12} so that

|SM′⁢(t0)|=|P⁢(1m1⁢(12⁢M-b1))|-|P⁢(1m1⁢(M-b1))|

∼𝒞⁢1m1(12M-b1))log31m1(12M-b1))-𝒞⁢1m(M-b1))log31m1(M-b1))

≥𝒞2⁢m1⁢M-2⁢b1log3⁡M

>𝒞4⁢m1⁢Mlog3⁡M.

Thus there is some constant ℬ2 such that

|SM′⁢(t0)|>𝒞4⁢m1⁢Mlog3⁡M for all M>ℬ2.

Note that the constant ℬ2 depends on t0. The map c0↦c′⁢(c0) gives us an inclusion SM′⁢(t0)↪SM⁢(t′⁢(t0)). Therefore the inequality in the claim holds with 𝒜2=𝒞4⁢m1.

It remains to show that the constant 𝒞 given in the Bateman–Horn conjecture is computable.^[7] Let

g1=t02+d⁢c2,g2=(t0-2)2+d⁢c2,g3=c,and G=g1⋅g2⋅g3.

Define ωi⁢(p) to be the number of roots of gimodp and ω⁢(p) to be the number of roots of Gmodp. Then G differs from p′⋅r′⋅c′ by a linear change of coordinates and scaling. It follows that the constant 𝒞 differs from the product

𝒞2=∏p≥51-ω⁢(p)p(1-1p)3

in at most a finite number of factors. So it is sufficient to show 𝒞2 is computable. Notice that for any prime p≥5:

g1(c)≡g2(c)≡0modp⟹p∣t0+2,

g1(c)≡g3(c)≡0modp⟹p∣t0,

g2(c)≡g3(c)≡0modp⟹p∣t0-2.

Let S denote the set of primes dividing 6⁢d⁢t0⁢(t0-2)⁢(t0+2). Then for any prime p∉S,

ω⁢(p)=ω1⁢(p)+ω2⁢(p)+ω3⁢(p).

Let χ⁢(p)=1 if -d is a square mod p and -1 otherwise. Then one can show that for any p∉S we have that

ω1⁢(p)=ω2⁢(p)=χ⁢(p)+1,

therefore

ω⁢(p)=2⁢(χ⁢(p)+1)+1.

Note that the product

∏p1-2⁢(χ⁢(p)+1)+1p(1-1p)3=𝒞3⁢∏p(1-χ⁢(p)p)2,

where 𝒞3 is an effectively computable constant. By Dirichlet’s analytic formula,

∏p(1-χ⁢(p)p)2=(k⁢d2⁢π⁢h)2,

where k, h are the number of roots of unity and class number of ℚ⁢(-d), respectively. ∎

Theorem 7.

Assume the Bateman–Horn conjecture and that d<100, and suppose d≢7mod8. Let m1,b1 be the constants from Lemma 3, which depend only on d. For any fixed integer t0, there are constants A3,B3 such that the probability that c∈SM,K⁢(m1⁢t0+b1) given that c∈SM⁢(m1⁢t0+b1) is bounded above by

𝒜3⁢K2⁢log4⁡MM

for all M>B3. The constant A3 is computable.

Proof.

We have to bound SM,K⁢(m1⁢t0+b1)/SM⁢(m1⁢t0+b1) above. This follows immediately from the previous propositions. Proposition 2 gives an upper bound for SM,K⁢(m1⁢t0+b1), and Proposition 6 gives a lower bound for SM⁢(m1⁢t0+b1). ∎

Warning 2.

We do not have a computable upper bound for the constant ℬ3.

5.3 Proof of Theorem 2

We can now prove Theorem 2 using a modified version of Algorithm 1. In order to apply Theorem 7, we need to modify Algorithm 1 so that t lies in an interval independent of the input bound M.

Algorithm 2 (Isolated curve.).

Proof of Theorem 2.

We will show that Algorithm 2 satisfies the claims in Theorem 2.

By the Bateman–Horn conjecture and Lemma 3, for any fixed d,t as chosen in the algorithm, the number of possible values of c≤M such that p,c,N/cof⁢(d⁢c2) are simultaneously prime, is Ω⁢(M/log3⁡M). Because there is a finite number of possibilities for t,d, which are independent of M, this implies that the expected number of iterations of the main loop of Algorithm 2 is O⁢(log3⁡M).

The probability that the embedding degree of the returned curve is less than log2⁡p follows from Theorem 7 using K=log2⁡M. Note that here we are using that t,d are bounded independently of M, in order to average the result of Theorem 7 for all values of t in the interval [3,100].

The resulting curve E has N points, where N=r⋅cof⁡(d⁢c2) and r is prime. Recall that cof(dc2)∣24 by definition (see equation (4.1)). Also, E is isolated with gap c and set-size 8 because c is prime, and the bound d≤100 implies that the class number of ℚ⁢(-d) is at most 8. The lower bound c≥p/50-100 follows from a straightforward computation. ∎

Remark 8.

The bound on t in Algorithm 2 is mostly arbitrary. It is important that the upper bound on |t| is independent of M. The lower bound t≥3 is for the same reason as the restriction on t in Algorithm 1.

6 Extending the results

The goal of this section is to discuss the following issues with Theorem 2:

The algorithm used in the proof (Algorithm 2) places a restriction on t, limiting the amount of randomness in the selection of an isolated curve.
It does not give a computable bound lower bound for what “sufficiently large” is.

Recall that the main idea of both Algorithm 1 and Algorithm 2 is to search for integers t,c such that three functions (p⁢(t,c), r⁢(t,c) and c) are simultaneously prime. Algorithm 2 imposes a restriction on t that allowed us to reduce to the one variable case and apply the Bateman–Horn conjecture. We expect that the restriction on t is unnecessary, and that the following properties hold:

The expected number integers t,c sampled in Algorithm 1 is O⁢(log3⁡M).
The probability that a curve returned by Algorithm 1 has an embedding degree <log2⁡M is O⁢(log8⁡MM).
The implied constants in these estimates are computable.

In the notation of Section 5, all three properties reduce to giving computable bounds for SM and SM,K. Recall that the expected number of iterations of the main loop of Algorithm 1 is roughly |SM|M and the probability of an embedding degree less than K is about |SM,K||SM|. For Theorem 2, we fixed t and gave bounds for SM,K⁢(t) and SM⁢(t) in Proposition 2 and Proposition 6, respectively. We would like to extend those bounds to SM,K and SM.

Proposition 1.

There is a computable constant A4 such that for any positive integers M and K,

|SM,K|≤𝒜4⁢K2⁢M⁢log⁡M.

Proof.

By definition, |SM,K|≤∑t=1M|SM,K⁢(t)|. Then by Proposition 2,

|SM,K|≤∑t=1M𝒜1⁢K2⁢log⁡t≤𝒜1⁢K2⁢M⁢log⁡M,

where 𝒜1 is the constant from Proposition 2. Hence we may take 𝒜4=𝒜12. ∎

Problem 2.

Find a computable number 𝒜5, depending only on the fundamental discriminant d, such that for any positive integer M,

|SM|>𝒜5⁢Mlog3⁡M.

Remark 3.

A solution to Problem 2 would be useless in practice if 𝒜5 is too small (e.g. 2-100). Hence we implicitly require that 𝒜5 lies within a reasonable range, such as 𝒜5>2-20.

6.1 An alternative conjecture

Even under the Bateman–Horn conjecture we are unable to solve Problem 2. This is because the Bateman–Horn conjecture only gives an asymptotic formula; it does not provide information about the error term.^[8] However, there is another natural conjecture one may consider related to the Bateman–Horn conjecture.

Conjecture 4.

Let f1,…,fk∈ℤ⁢[x,y] be such that every fi is irreducible and gcda,b∈ℤ⁢∏fi⁢(a,b)=1. Let Pf1,…,fk⁢(N) denote the number of pairs a,b such that 0≤a,b≤N and f1⁢(a,b),…,fk⁢(a,b) are simultaneously prime. Then for any N0>0, there exists a computable constant C (depending on N0 and the fi) such that

Pf1,…,fk⁢(N)>C⁢N2logk⁡N for all N>N0.

Remark 5.

As stated, the constant C in Conjecture 4 depends on N0. We could have equivalently stated the conjecture with C independent of N0. However, in practice we usually avoid small values of N.

Recall that before the prime number theorem was proven, Chebyshev showed that π⁢(N)≥log⁡22⁢Nlog⁡N for all N≥2, cf. [33, Theorem 5.3]. In a way, Conjecture 4 is to the Bateman–Horn conjecture as Chebyshev’s inequality is to the prime number theorem. Conjecture 4 is weaker than the Bateman–Horn conjecture in the sense that it only asks for a lower bound, not an asymptotic formula. In fact, Conjecture 4 would follow from the Bateman–Horn conjecture if it had included a clause about the error term.

6.2 Heuristic evidence

The same heuristics used to justify the Bateman–Horn conjecture suggest that Pf1,…,fk in Conjecture 4 has the right order of magnitude. Let f⁢(x,y)∈ℤ⁢[x,y] such that gcdx,y∈ℤ⁡f⁢(x,y)=1. If we pretend that f⁢(x,y) acts like a random number, then the probability that f⁢(x,y) is prime should be roughly 1log⁡|f⁢(x,y)|. If x,y are chosen independently from a uniform distribution on [0,N], then the probability that f⁢(x,y) is prime should be roughly 1d⁢log⁡N, where d is the degree of f (i.e. the highest total degree of any monomial in f). Given multiple polynomials f1,…,fk satisfying the hypothesis in Conjecture 4, we expect that the probability that they are simultaneously prime is the product of the probabilities for each fi, up to some constant correction factor. This suggests that Pf1,…,fk=Θ⁢(N2logk⁡N), but gives no insight into the constants.

6.3 Theoretical evidence

Conjecture 4 also differs from the Bateman–Horn conjecture in that it applies to polynomials in two variables. There are many cases where the conjecture can be proven. For example, we can apply the prime number theorem for quadratic fields to estimate how often certain quadratic forms are prime [15, Theorem 21.1]. The Friedlander–Iwaniec theorem [14] gives an asymptotic density of primes of the form x2+y4. More recently considered were pairs x,y such that x2-x⁢y+y2 and 2⁢x-y are both prime [29]. One of the examples closest to Problem 2 is the following result of Fouvry and Iwaniec.

Theorem 6 (Fouvry and Iwaniec [15, Theorem 20.3], [11]).

Let Λ be the von Mangoldt function defined by

Λ⁢(n)={log⁡pif n=pk for some prime p,0otherwise.

Then

∑x2+y2≤NΛ⁢(x)⁢Λ⁢(x2+y2)=π⁢H4⁢N+O⁢(Nlog1/4⁡N),

where the sum is over positive integer, H=∏p(1-χ⁢(p)p-1), and

χ⁢(p)={1,p≡1mod4,-1,p≡3mod3,0,p=2.

Corollary 7.

Let Px,x2+y2⁢(N) denote the number of pairs x,y∈[0,N] such that x and x2+y2 are simultaneously prime. Then

Px,x2+y2⁢(N)=Ω⁢(N2log2⁡N).

Proof.

First notice that

Px,x2+y2⁢(N)=∑x,x2+y2⁢prime0<x,y<N1

≥∑x,x2+y2⁢prime0<x2+y2<N21

≥12⁢log2⁡N⁢∑x,x2+y2⁢prime0<x2+y2<N2Λ⁢(x)⁢Λ⁢(x2+y2).

The only difference between the last sum and the sum in Theorem 6, is that the latter includes prime powers. The number of prime powers less than N2 is bounded above by log⁡(N)⁢π⁢(N)<2⁢N. For each prime power pk less than N, there are at most 4⁢(k+1) pairs x,y such that x2+y2=pk. This is because there are at most k+1 ideals in ℤ⁢[i] with norm pk, and each has at most four distinct generators. Therefore

Px,x2+y2⁢(N)≥12⁢log2⁡N⁢∑x2+y2≤N2Λ⁢(x)⁢Λ⁢(x2+y2)-4⁢Nlog⁡N.

The claim now follows from Theorem 6. ∎

If we restrict to even values of t, then for d=4 we have that p⁢(t,c)=(t2)2+c2. Hence the corollary above implies that for d=4 we have

#⁢{t,c:p=t2+d⁢c24⁢ and ⁢c⁢ are prime and ⁢p≤M}=Ω⁢(Mlog2⁡M).

This agrees with our heuristics because we have two polynomials and the probability both are prime is roughly 1/log2⁡M when choosing t,c randomly in [0,M]. We expect the same principal term for other values of d. Furthermore, adding the requirement that r⁢(t,c) is prime should change the principle term by a factor of 1/log⁡M. It is unclear if the methods used in the proof of Theorem 6 could extend to cover pairs t,c such that all three functions p, r, and c are all simultaneously prime.

6.4 Numerical evidence

We implemented Algorithm 1 with d=4 using a few modifications for efficiency, such as only choosing odd values of c and even values of t. For a few values of M, we counted the number of iterations the main loop ran until the algorithm returned. Equivalently, this is the number of pairs t,c chosen at random until p, r, and c were simultaneously prime. The number of iterations was always below log3⁡M as shown in Figure 1.

We also computed the embedding degree of a curve returned by Algorithm 1 with M=298. In 10,000 runs we observed 0 curves with embedding degree <log2⁡(M). This should be compared with the bound

log8⁡(M)M≈0.80527.

$Figure 1 Comparing the observed number of samples of t,c{t,c} used in Algorithm 1 with log3⁡M{\log^{3}M} for various values of M.$

Figure 1

Comparing the observed number of samples of t,c used in Algorithm 1 with log3⁡M for various values of M.

7 Conclusion

We acknowledge that a solution to Problem 2 may not be as mathematically interesting as proving an asymptotic formula with an optimal error bound for a generalized, two variable Bateman–Horn conjecture. However, a solution to Problem 2 would be enough to:

Prove the efficiency of an algorithm to generate an isolated curve with large embedding degree.
Prove that the space of isolated curves is large enough to provide sufficient randomness in parameter selection.

These facts are enough to show that isolated curves provide cryptosystems resistant to the isogeny based attacks described in the introduction.

Communicated by Hugh Williams

Acknowledgements

I would like to thank my advisor Neal Koblitz for all of his support and guidance while working on this paper. I would also like to thank Bianca Viray for her patience in reading many first drafts, as well as David Jao for helpful conversations about computing isogenies between elliptic curves at a conference. Finally, I am grateful to my fellow graduate students for listening to me talk about elliptic curves in every seminar.

References

[1] R. Balasubramanian and N. Koblitz, The improbability that an elliptic curve has subexponential discrete log problem under the Menezes–Okamoto–Vanstone algorithm, J. Cryptology 11 (1998), no. 2, 141–145. 10.1007/s001459900040Suche in Google Scholar

[2] P. T. Bateman and R. A. Horn, A heuristic asymptotic formula concerning the distribution of prime numbers, Math. Comp. 16 (1962), 363–367. 10.1090/S0025-5718-1962-0148632-7Suche in Google Scholar

[3] R. Bröker, D. Charles and K. Lauter, Evaluating large degree isogenies and applications to pairing based cryptography, Pairing-Based Cryptography – Pairing 2008, Lecture Notes in Comput. Sci. 5209, Springer, Berlin (2008), 100–112. 10.1007/978-3-540-85538-5_7Suche in Google Scholar

[4] R. Bröker, K. Lauter and A. V. Sutherland, Modular polynomials via isogeny volcanoes, Math. Comp. 81 (2012), no. 278, 1201–1231. 10.1090/S0025-5718-2011-02508-1Suche in Google Scholar

[5] P.-J. Cahen and J.-L. Chabert, Integer-Valued Polynomials, Math. Surveys Monogr. 48, American Mathematical Society, Providence, 1997. 10.1090/surv/048Suche in Google Scholar

[6] H. Cohen, A Course in Computational Algebraic Number Theory, Grad. Texts in Math. 138, Springer, Berlin, 1993. 10.1007/978-3-662-02945-9Suche in Google Scholar

[7] H. Cohen, G. Frey, R. Avanzi, C. Doche, T. Lange, K. Nguyen and F. Vercauteren, Handbook of Elliptic and Hyperelliptic Curve Cryptography, Discrete Math. Appl. (Boca Raton), Chapman & Hall/CRC, Boca Raton, 2006. 10.1201/9781420034981Suche in Google Scholar

[8] A. C. Cojocaru and I. E. Shparlinski, On the embedding degree of reductions of an elliptic curve, Inform. Process. Lett. 109 (2009), no. 13, 652–654. 10.1016/j.ipl.2009.02.018Suche in Google Scholar

[9] D. A. Cox, Primes of the Form x2+n⁢y2. Fermat, Class Field Theory, and Complex Multiplication, 2nd ed., Pure Appl. Math. (Hoboken), John Wiley & Sons, Hoboken, 2013. 10.1002/9781118400722Suche in Google Scholar

[10] A. Entin, On the Bateman–Horn conjecture for polynomials over large finite fields, preprint (2014), http://arxiv.org/abs/1409.0846. 10.1112/S0010437X16007570Suche in Google Scholar

[11] E. Fouvry and H. Iwaniec, Gaussian primes, Acta Arith. 79 (1997), no. 3, 249–287. 10.4064/aa-79-3-249-287Suche in Google Scholar

[12] G. Frey, M. Müller and H.-G. Rück, The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems, IEEE Trans. Inform. Theory 45 (1999), no. 5, 1717–1719. 10.1109/18.771254Suche in Google Scholar

[13] J. Friedlander and A. Granville, Limitations to the equi-distribution of primes. IV, Proc. Roy. Soc. London Ser. A 435 (1991), no. 1893, 197–204. 10.1098/rspa.1991.0138Suche in Google Scholar

[14] J. Friedlander and H. Iwaniec, Using a parity-sensitive sieve to count prime values of a polynomial, Proc. Natl. Acad. Sci. USA 94 (1997), no. 4, 1054–1058. 10.1073/pnas.94.4.1054Suche in Google Scholar PubMed PubMed Central

[15] J. Friedlander and H. Iwaniec, Opera de Cribro, Amer. Math. Soc. Colloq. Publ. 57, American Mathematical Society, Providence, 2010. 10.1090/coll/057Suche in Google Scholar

[16] D. Jao, S. D. Miller and R. Venkatesan, Do all elliptic curves of the same order have the same difficulty of discrete log?, Advances in Cryptology – ASIACRYPT 2005, Lecture Notes in Comput. Sci. 3788, Springer, Berlin (2005), 21–40. 10.1007/11593447_2Suche in Google Scholar

[17] D. Jao, S. D. Miller and R. Venkatesan, Expander graphs based on GRH with an application to elliptic curve cryptography, J. Number Theory 129 (2009), no. 6, 1491–1504. 10.1016/j.jnt.2008.11.006Suche in Google Scholar

[18] D. Jao and V. Soukharev, A subexponential algorithm for evaluating large degree isogenies, Algorithmic Number Theory, Lecture Notes in Comput. Sci. 6197, Springer, Berlin (2010), 219–233. 10.1007/978-3-642-14518-6_19Suche in Google Scholar

[19] J. Katz and Y. Lindell, Introduction to Modern Cryptography, 2nd ed., Chapman & Hall/CRC Cryptogr. Netw. Secur., CRC Press, Boca Raton, 2015. Suche in Google Scholar

[20] A. H. Koblitz, N. Koblitz and A. Menezes, Elliptic curve cryptography: The serpentine course of a paradigm shift, J. Number Theory 131 (2011), no. 5, 781–814. 10.1016/j.jnt.2009.01.006Suche in Google Scholar

[21] N. Koblitz and A. Menezes, The brave new world of bodacious assumptions in cryptography, Notices Amer. Math. Soc. 57 (2010), no. 3, 357–365. Suche in Google Scholar

[22] D. Kohel, Endomorphism rings of elliptic curves over finite fields, Ph.D. thesis, University of California at Berkeley, 1996, http://echidna.maths.usyd.edu.au/~kohel/pub/thesis.pdf. Suche in Google Scholar

[23] J. C. Lagarias and A. M. Odlyzko, Effective versions of the Chebotarev density theorem, Algebraic Number Fields, Academic Press, London (1977), 409–464. Suche in Google Scholar

[24] F. Luca, D. J. Mireles and I. E. Shparlinski, MOV attack in various subgroups on elliptic curves, Illinois J. Math. 48 (2004), no. 3, 1041–1052. 10.1215/ijm/1258131069Suche in Google Scholar

[25] A. J. Menezes, T. Okamoto and S. A. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field, IEEE Trans. Inform. Theory 39 (1993), no. 5, 1639–1646. 10.1109/18.259647Suche in Google Scholar

[26] A. Menezes and E. Teske, Cryptographic implications of Hess’ generalized GHS attack, Appl. Algebra Engrg. Comm. Comput. 16 (2006), no. 6, 439–460. 10.1007/s00200-005-0186-8Suche in Google Scholar

[27] A. Menezes, E. Teske and A. Weng, Weak fields for ECC, Topics in Cryptology – CT-RSA 2004, Lecture Notes in Comput. Sci. 2964, Springer, Berlin (2004), 366–386. 10.1007/978-3-540-24660-2_28Suche in Google Scholar

[28] S. D. Miller and R. Venkatesan, Spectral analysis of Pollard rho collisions, Algorithmic number theory, Lecture Notes in Comput. Sci. 4076, Springer, Berlin (2006), 573–581. 10.1007/11792086_40Suche in Google Scholar

[29] M. Pandey, On Eisenstein primes, preprint (2016), https://arxiv.org/abs/1607.00469v1. Suche in Google Scholar

[30] K. Rubin and A. Silverberg, Choosing the correct elliptic curve in the CM method, Math. Comp. 79 (2010), no. 269, 545–561. 10.1090/S0025-5718-09-02266-2Suche in Google Scholar

[31] A. Schinzel and W. Sierpiński, Sur certaines hypothèses concernant les nombres premiers, Acta Arith. 4 (1958), 185–208; erratum, Acta Arith. 5 (1958), 259. 10.4064/aa-4-3-185-208Suche in Google Scholar

[32] R. Schoof, Nonsingular plane cubic curves over finite fields, J. Combin. Theory Ser. A 46 (1987), no. 2, 183–211. 10.1016/0097-3165(87)90003-3Suche in Google Scholar

[33] V. Shoup, A Computational Introduction to Number Theory and Algebra, 2nd ed., Cambridge University Press, Cambridge, 2009. 10.1017/CBO9780511814549Suche in Google Scholar

[34] J. H. Silverman, The Arithmetic of Elliptic Curves, 2nd ed., Grad. Texts in Math. 106, Springer, New York, 2009. 10.1007/978-0-387-09494-6Suche in Google Scholar

[35] N. P. Smart, The discrete logarithm problem on elliptic curves of trace one, J. Cryptology 12 (1999), no. 3, 193–196. 10.1007/s001459900052Suche in Google Scholar

[36] A. V. Sutherland, Isogeny volcanoes, ANTS X – Proceedings of the Tenth Algorithmic Number Theory Symposium, Open Book Ser. 1, Mathematical Sciences Publishers, Berkeley (2013), 507–530. 10.2140/obs.2013.1.507Suche in Google Scholar

[37] W. Wang, Isolated curves for hyperelliptic curve cryptography, Ph.D. thesis, University of Washington, 2012, http://search.proquest.com/docview/1197791596. Suche in Google Scholar

[38] The Sage Developers, SageMath, the Sage Mathematics Software System (Version 6.10), 2016, http://www.sagemath.org/. Suche in Google Scholar

Received: 2016-9-13

Revised: 2017-4-28

Accepted: 2017-5-1

Published Online: 2017-5-11

Published in Print: 2017-10-1

This article is distributed under the terms of the Creative Commons Attribution Non-Commercial License, which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited.

Artikel in diesem Heft

https://doi.org/10.1515/jmc-2016-0053

Schlagwörter für diesen Artikel

Elliptic curves; isogenies; isolated curves; embedding degree; cryptography; distribution of primes

Creative Commons

BY-NC-ND 3.0