On the Minimal Embedding Field

We discuss the underlying mathematics that causes the embedding degree of a curve of any genus to not necessarily correspond to the minimal embedding field, and hence why it may fail to capture the security of a pairing-based cryptosystem. Let C be a curve of genus g defined over a finite field Fq, where q = p for a prime p. The Jacobian of the curve is an abelian variety, JC(Fq), of dimension g defined over Fq. For some prime N , coprime to p, the embedding degree of JC(Fq)[N ] is defined to be the smallest positive integer k such that N divides q − 1. Hence, Fqk contains a subgroup of order N . To determine the security level of a pairing-based cryptosystem, it is important to know the minimal field containing the Nth roots of unity, since the discrete logarithm problem can be transported from the curve to this field, where one can perform index calculus. We show that it is possible to have a dramatic (unbounded) difference between the size of the field given by the embedding degree, Fpmk , and the minimal embedding field that contains the Nth roots of unity, Fpd , where d | mk. The embedding degree has utility as it indicates the field one must work over to compute the pairing, while a security parameter should indicate the minimal field containing the embedding. We discuss a way of measuring the difference between the size of the two fields and we advocate the use of two separate parameters. We offer a possible security parameter, k′ = ordN p g , and we present examples of elliptic curves and genus 2 curves which highlight the difference between them. While our observation provides a proper theoretical understanding of minimal embedding fields in pairing-based cryptography, it is unlikely to affect curves used in practice, as a discrepancy may only occur when q is non-prime. Nevertheless, it is an important point to keep in mind and a motivation to recognize two separate parameters when describing a pairing-based cryptosystem.