Efficient algorithms for generating elliptic curves over finite fields suitable for use in cryptography

The subject of the thesis at hand is the description of an efficient algorithm for finding an elliptic curve over a finite prime field of large characteristic suitable for use in cryptography. The algorithm is called cryptoCurve. It makes use of the theory of complex multiplication. Our work relies on proposals of A.-M. Spallek ([Spa92]) and G.J. Lay/H.G. Zimmer ([Lay94], [LZ94]). However, their work leaves several important questions and problems unanswered. First, neither author presents an algorithm to find a suitable cardinality, that is a prime field and a cardinality of a suitable elliptic curve group. We develop and describe a very efficient algorithm for this task; in addition, we give upper bounds of its complexity. In this efficient algorithm the prime field may not be chosen in advance. However, in some cases the field is given first. For instance, all international cryptographic standards which describe an algorithm for finding a suitable cardinality, make use of the latter approach ([P1363], Chapter A.14.2.3, p. 155, [X9.62], Chapter E.3.2.c, p. 115-116). We show how to significantly speed up these algorithms. Second, no previously proposed algorithm for the generation of an elliptic curve considers the class number of the endomorphism ring of the curve. The German Information Security Agency requires the class number of the maximal order containing the endomorphism ring to be at least 200 ([GIS01]). Our algorithm cryptoCurve respects this condition. Third, we develop and thoroughly investigate different methods to compute class polynomials. The computation of a class polynomial is an important subalgorithm in the complex multiplication approach. In general the integer coefficients of a class polynomial are very large. Hence their computation in practice is rather difficult. It was believed in the cryptographic community that only class polynomials of low degree, say of degree at most 50, are amenable to the complex multiplication approach (see for example [MP97]). However, using our efficient algorithm, we are able to compute a class polynomial of degree up to 3000 in reasonable time, that is in less than 10 minutes on an ordinary PC. In addition, we are able to compute a class polynomial of degree 15000 on the same computer in less than two days. Fourth, we carry out a detailed practical investigation of the floating point precision needed to compute a class polynomial. The precision in use is important for the run time to compute a class polynomial in practice. However, in order to get a correct result, we have to choose the floating point precision with care. As of today, different precisions were proposed (see for instance [AM93], [BSS99], [LZ94]). All of them are only based on heuristic arguments, and none of the authors presents a practical investigation. In addition, none of the cryptographic standards [P1363] or [X9.62] gives a hint on how to choose an appropriate floating point precision. For instance, we quote from [P1363], Annex A, p. 151: ”The above computation must be performed with sufficient accuracy to identify each coefficient of the polynomial wD(t). Since each such coefficient is an integer, this means that the error incurred in calculating each coefficient should be less than 1/2.” Obviously this statement is not useful for choosing the floating point precision in practice. Furthermore, in case of the class polynomial due to N. Yui and D. Zagier ([YZ97]), which uses Weber functions, we propose a new floating point precision to compute this polynomial in practice. Our precision yields a significant performance improvement. Sample tests show an acceleration of about 45% in practice compared to the precision proposed in [LZ94]. All algorithms of this thesis are implemented in C++ and available via the LiDIA module gec.