Efficient Algorithms for Generating Elliptic Curves over Finite Fields Suitable for Use in Cryptography

• Main Author: Baier, Harald
• Format: Others
• Language: English; en
• Published: 2002
• Online Access: https://tuprints.ulb.tu-darmstadt.de/211/1/dissertation_harald_baier.pdf; Baier, Harald <http://tuprints.ulb.tu-darmstadt.de/view/person/Baier=3AHarald=3A=3A.html> (2002): Efficient Algorithms for Generating Elliptic Curves over Finite Fields Suitable for Use in Cryptography.Darmstadt, Technische Universität, [Online-Edition: http://elib.tu-darmstadt.de/diss/000211 <http://elib.tu-darmstadt.de/diss/000211> <official_url>],[Ph.D. Thesis]

The subject of the thesis at hand is the description of an efficient algorithm for finding an elliptic curve over a finite prime field of large characteristic suitable for use in cryptography. The algorithm is called cryptoCurve. It makes use of the theory of complex multiplication. Our work relies on proposals of A.-M.Spallek and G.J.Lay/H.G.Zimmer. However, their work leaves several important questions and problems unanswered. First, neither author presents an algorithm to find a suitable cardinality, that is a prime field and a cardinality of a suitable elliptic curve group. We develop and describe a very efficient algorithm for this task; in addition, we give upper bounds of its complexity. In this efficient algorithm the prime field may not be chosen in advance. However, in some cases the field is given first. For instance, all international cryptographic standards which describe an algorithm for finding a suitable cardinality, make use of the latter approach (P1363, Chapter A.14.2.3, p.155, X9.62, Chapter E.3.2.c, p.115-116). We show how to significantly speed up these algorithms. Second, no previously proposed algorithm for the generation of an elliptic curve considers the class number of the endomorphism ring of the curve. The German Information Security Agency requires the class number of the maximal order containing the endomorphism ring to be at least 200. Our algorithm cryptoCurve respects this condition. Third, we develop and thoroughly investigate different methods to compute class polynomials. The computation of a class polynomial is an important subalgorithm in the complex multiplication approach. In general the integer coefficients of a class polynomial are very large. Hence their computation in practice is rather difficult. It was believed in the cryptographic community that only class polynomials of low degree, say of degree at most 50, are amenable to the complex multiplication approach. However, using our efficient algorithm, we are able to compute a class polynomial of degree up to 3000 in reasonable time, that is in less than 10 minutes on an ordinary PC. In addition, we are able to compute a class polynomial of degree 15000 on the same computer in less than two days. Fourth, we carry out a detailed practical investigation of the floating point precision needed to compute a class polynomial. The precision in use is important for the run time to compute a class polynomial in practice. However, in order to get a correct result, we have to choose the floating point precision with care. As of today, different precisions were proposed. All of them are only based on heuristic arguments, and none of the authors presents a practical investigation. In addition, none of the cryptographic standards P1363 or X9.62 gives a hint on how to choose an appropriate floating point precision. Furthermore, in case of the class polynomial due to N.Yui and D.Zagier, which uses Weber functions, we propose a new floating point precision to compute this polynomial in practice. Our precision yields a significant performance improvement. Sample tests show an acceleration of about 45 % in practice compared to the precision proposed by Lay/Zimmer. All algorithms of this thesis are implemented in C++ and available via the LiDIA module gec.