**On the Minimal Embedding Field**

*Laura Hitt*

**Abstract: **We discuss the underlying mathematics that causes the embedding
degree of a curve of any genus to not necessarily correspond to the
minimal embedding field, and hence why it may fail to capture the
security of a pairing-based cryptosystem. Let $C$ be a curve of
genus $g$ defined over a finite field $\F_q$, where $q=p^m$ for a
prime $p$. The Jacobian of the curve is an abelian variety,
$J_C(\F_q)$, of dimension $g$ defined over $\F_q$. For some prime
$N$, coprime to $p$, the embedding degree of $J_C(\F_q)[N]$ is
defined to be the smallest positive integer $k$ such that $N$
divides $q^k-1$. Hence, $\F_{q^k}^*$ contains a subgroup of order
$N$. To determine the security level of a pairing-based
cryptosystem, it is important to know the minimal field containing
the $N$th roots of unity, since the discrete logarithm problem can
be transported from the curve to this field, where one can perform
index calculus. We show that it is possible to have a dramatic
(unbounded) difference between the size of the field given by the
embedding degree, $\F_{p^{mk}}$, and the minimal embedding field
that contains the $N$th roots of unity, $\F_{p^d}$, where $d\mid
mk$.

The embedding degree has utility as it indicates the field one must work over to compute the pairing, while a security parameter should indicate the minimal field containing the embedding. We discuss a way of measuring the difference between the size of the two fields and we advocate the use of two separate parameters. We offer a possible security parameter, $k'=\frac{\ord_Np}{g}$, and we present examples of elliptic curves and genus 2 curves which highlight the difference between them. While our observation provides a proper theoretical understanding of minimal embedding fields in pairing-based cryptography, it is unlikely to affect curves used in practice, as a discrepancy may only occur when $q$ is non-prime. Nevertheless, it is an important point to keep in mind and a motivation to recognize two separate parameters when describing a pairing-based cryptosystem.

**Category / Keywords: **pairing-based cryptosystems, embedding degree, discrete logarithm, elliptic curve cryptography

**Date: **received 14 Nov 2006, last revised 26 Feb 2007

**Contact author: **lhitt at math utexas edu

**Available format(s): **Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

**Note: **Re-packaged, different emphasis

**Version: **20070227:024852 (All versions of this report)

**Short URL: **ia.cr/2006/415

[ Cryptology ePrint archive ]