For secure and efficient implementation of pairing-based cryptography on genus g curves over $\F_q$, it is desirable that the ratio $\rho=\frac{g\log_2 q}{\log_2N}$ be approximately 1, where $N$ is the order of the subgroup with embedding degree $k$. We show that for our family of curves, $\rho$ is often near 1 and never more than 2.
We also give a sequence of $\F_q$-isogeny classes for a family of Jacobians of genus 2 curves over $\F_{q}$ whose minimal embedding field is much smaller than the finite field indicated by the embedding degree $k$. That is, the extension degrees in this example differ by a factor of $m$, where $q=2^m$, demonstrating that the embedding degree can be a far from accurate measure of security. As a result, we use an indicator $k'=\frac{\ord_N2}{m}$ to examine the cryptographic security of our family of curves.
Category / Keywords: embedding degree, genus 2, hyperelliptic curves, binary curves, pairing-based cryptosystems Date: received 30 Dec 2006, last revised 13 Feb 2009 Contact author: hitt36 at gmail com Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation Note: updated details in proofs Version: 20090213:170832 (All versions of this report) Short URL: ia.cr/2007/001 Discussion forum: Show discussion | Start new discussion