[Resource Topic] 2006/415: On the Minimal Embedding Field

Welcome to the resource topic for 2006/415

Title:
On the Minimal Embedding Field

Authors: Laura Hitt

Abstract:

We discuss the underlying mathematics that causes the embedding degree of a curve of any genus to not necessarily correspond to the minimal embedding field, and hence why it may fail to capture the security of a pairing-based cryptosystem. Let C be a curve of genus g defined over a finite field \F_q, where q=p^m for a prime p. The Jacobian of the curve is an abelian variety, J_C(\F_q), of dimension g defined over \F_q. For some prime N, coprime to p, the embedding degree of J_C(\F_q)[N] is defined to be the smallest positive integer k such that N divides q^k-1. Hence, \F_{q^k}^* contains a subgroup of order N. To determine the security level of a pairing-based cryptosystem, it is important to know the minimal field containing the $N$th roots of unity, since the discrete logarithm problem can be transported from the curve to this field, where one can perform index calculus. We show that it is possible to have a dramatic (unbounded) difference between the size of the field given by the embedding degree, \F_{p^{mk}}, and the minimal embedding field that contains the $N$th roots of unity, \F_{p^d}, where d\mid mk. The embedding degree has utility as it indicates the field one must work over to compute the pairing, while a security parameter should indicate the minimal field containing the embedding. We discuss a way of measuring the difference between the size of the two fields and we advocate the use of two separate parameters. We offer a possible security parameter, k'=\frac{\ord_Np}{g}, and we present examples of elliptic curves and genus 2 curves which highlight the difference between them. While our observation provides a proper theoretical understanding of minimal embedding fields in pairing-based cryptography, it is unlikely to affect curves used in practice, as a discrepancy may only occur when q is non-prime. Nevertheless, it is an important point to keep in mind and a motivation to recognize two separate parameters when describing a pairing-based cryptosystem.

ePrint: https://eprint.iacr.org/2006/415

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .