Pairing-Friendly Elliptic Curves of Prime Order

Previously known techniques to construct pairing-friendly curves of prime or near-prime order are restricted to embedding degree k 6 6. More general methods produce curves over Fp where the bit length of p is often twice as large as that of the order r of the subgroup with embedding degree k; the best published results achieve ρ ≡ log(p)/ log(r) ∼ 5/4. In this paper we make the first step towards surpassing these limitations by describing a method to construct elliptic curves of prime order and embedding degree k = 12. The new curves lead to very efficient implementation: non-pairing cryptosystem operations only need Fp and Fp2 arithmetic, and pairing values can be compressed to one sixth of their length in a way compatible with point reduction techniques. We also discuss the role of large CM discriminants D to minimize ρ; in particular, for embedding degree k = 2q where q is prime we show that the ability to handle log(D)/ log(r) ∼ (q − 3)/(q − 1) enables building curves with ρ ∼ q/(q − 1).