here - Sites personnels de TELECOM ParisTech - Télécom ParisTech

156 Chapter 5. Complex multiplication and elliptic curvescontains the l-th roots of unity, i.e. the smallest integer such that l|p ord l(p) − 1, or equivalentlythe multiplicative order of p in (Z/lZ) ∗ . Then k = ord l (p)/ gcd(ord l (p), n) if q = p n . Therefore,it is ord l (p) rather than k which should be considered for the difficulty of the discrete logarithm.For cryptographic applications however, the base field is often chosen to be prime so that boththese values are equal.Finally, it should be noted that supersingular curves can not be used for classical public keycryptography.Proposition 5.4.2 ([192]). Let E be a supersingular curve. Then its embedding degree k verifiesk ≤ 6.This is not a concern for ordinary curves. Indeed, for a random curve the embedding degreeis relatively large, typically of the size of l.Proposition 5.4.3 ([10]). Let (p, E) be a random couple made of a prime number p ∈ [M/2, M]and of an elliptic curve defined over F p with a prime number of points l. Then the probabilitythat l|p k − 1 for k ≤ (log p) 2 is smaller thanc(log M) 9 (log log M) 2 /Mwhere c is an effectively computable positive constant.5.4.3 Identity-based cryptographyThe idea of identity-based cryptography, proposed by Shamir [235], is to use any binary string(e.g. an email address) as a public key.A trusted third party, the Public Key Generator, publishes a master public key from whichall public keys are derived using only public data, and keeps a master secret key to computethe secret keys corresponding to the public data. This scheme allows to encrypt messages, orcheck digital signatures, without prior distribution of public keys as in the classical public keycryptography model. However, the users must highly trust the Public Key Generator, because itcan compute any private key, which is not the case in the classical infrastructure. Nonetheless,different variants exist where this pitfall is avoided.The first instantiation of such an encrypting scheme appeared only many years later: in 2001in the works of Cocks [52], using quadratic residues, and of Boneh and Franklin [20, 21], usingthe Weil pairing.Elliptic curves used in such schemes should not only be resistant to attacks against the discretelogarithm, but also have a small enough embedding degree so that the pairing is efficientlycomputable. Hence, supersingular curves are natural candidates, but their embedding degreesbeing always really small may not be sufficient and discards them for several applications. Testingrandom curves will definitely not yield suitable curves. Using the CM method it is howeverpossible to find ordinary curves which not only have a prime, or nearly prime, number of points,but also have a controlled embedding degree. More precisely, for a given discriminant ∆, wewant to find a couple (t, q) where q is a prime power, t 2 − 4q = ∆ and q + 1 − t has large primedivisor l which divides q k − 1 for a suitable k, but not q i − 1 for i < l. This last condition can berephrased as l dividing Φ k (q) where Φ k is the k-th cyclotomic polynomial. To summarize theabove discussion, the following conditions are needed:1. t 2 − 4q = ∆ where q is a prime power;2. l | q + 1 − t where l is a large prime;