On counting and generating curves over small finite fields

We consider curves defined over small finite fields with points of large prime order over an extension field. Such curves are often referred to as Koblitz curves and are of considerable cryptographic interest. An interesting question is whether such curves are easy to construct as the target point order grows asymptotically. We show that under certain number theoretic conjecture, if q is a prime power, r is a prime and √ q > (r log q)2+ , then there are at least Ω( q r1+ log q ) non-isomorphic elliptic curves E/Fq, such that the quotient group E(Fqr)/E(Fq) has prime order. We also show that under the same conjecture, if q is a prime power and r is a prime satisfying q > (r log q)2+ and √ q = o( q r1+ log q ), then there are at least Ω( q r1+ log q ) curves H/Fq of genus 2, such that the order of the quotient group Jac(H)(Fqr)/Jac(H)(Fq) is a prime. Based on these results we present simple and efficient algorithms for generating Ω(log n) non-isomorphic elliptic curves in Ω(log n) isogenous classes, each with a point of prime order Θ(n). The average time to generate one curve is O(log n). We also present an algorithm which generates Ω(log n) curves of genus two with Jacobians whose orders have a prime factor of order Θ(n), in heuristic expected time O(log n) per curve. Keyword: Curve-based cryptography, Koblitz curve, Bateman-Horn conjecture. Email addresses: [email protected] (Qi Cheng), [email protected] (Ming-Deh Huang). Preprint submitted to Journal of Complexity 31 July 2003