Elliptic curves with j = 0,1728 and low embedding degree

Elliptic curves over a finite field with j-invariant 0 or 1728, both supersingular and ordinary, whose embedding degree k is low are studied. In the ordinary case we give conditions characterizing such elliptic curves with fixed embedding degree with respect to a subgroup of prime order ℓ. For , these conditions give parameterizations of q in terms of ℓ and two integers m, n. We show several examples of families with infinitely many curves. Similar parameterizations for need a fixed kth root of the unity in the underlying field. Moreover, when the elliptic curve admits distortion maps, an example is provided.


Introduction
Let E be an elliptic curve defined over a finite field F q , with q = p r , p prime, p ≥ 5, given by its Weierstrass model y 2 = x 3 + Ax + B; A, B ∈ F q . For general results on elliptic curves we refer to [21] and for their cryptographic applications to [4]. Let us remember that the cardinality N = #E(F q ) is given by N = q + 1 − t, where t, the trace of the Frobenius endomorphism, satisfies (Hasse theorem) |t| ≤ 2 √ q. When p t the curve E/F q is called ordinary and its endomorphism ring End(E) can be embedded as an order in the quadratic imaginary field K = Q( t 2 − 4q), while if p | t the curve is called supersingular and End(E) can be considered as an order in a quaternion algebra. Let E(F q ) be the set of rational points of E over the finite field F q . This set can be endowed with a structure of abelian group. This group was proposed to be used in discrete logarithm cryptosystems instead of the multiplicative group F q * as it is stronger against cryptanalytic attacks. However, Menezes-Okamoto-Vanstone (MOV) and Frey-Rück (FR) algorithms allow, using pairings (Weil, Tate, etc.), the translation of the Discrete Logarithm Problem (DLP) on the points of E(F q ) to the DLP on a field extension F q k (see [4,16]). The natural number k (the embedding degree) is characterized by the following definition. *Corresponding author. Email: sadornild@unican.es Definition 1.1 Let be a divisor of N = #E(F q ) (usually a prime). The embedding degree of E/F q with respect to is the smallest natural integer k verifying the equivalent conditions: (i) | (q k − 1). (ii) F * q k contains a cyclic subgroup of order .
If is the greatest prime divisor of N = #E(F q ), then k is called the embedding degree of E/F q .
It is also worth nothing the following result by Balasubramanian and Koblitz [1]: if k > 1 the conditions (i) and (ii) are equivalent to The DLP on elliptic curves with small k could be vulnerable to MOV and FR attacks. However, curves with small embedding degree are suitable in Pairing-based Cryptography [5]. For both destructive and constructive reasons, it is advisable to know the embedding degree of a given elliptic curve. Supersingular elliptic curves have embedding degree less than or equal to 6 (in fact, in this paper, since characteristic p = 2, 3, k = 1, 2, 3), while ordinary curves with small degree are scarce [1].
Elliptic curve cryptosystems work on a cyclic subgroup P ⊆ E(F q ) of order (usually a prime). Nevertheless, the alternating property of the Weil pairing e implies that e is trivial for every couple of points Q, R ∈ P . The same happens frequently for the Tate pairing, [5,Chapter IX]. To avoid this obstacle, a modified pairing is used, employing a distortion map. Definition 1.2 A distortion map for a point P ∈ E(F q ) of prime order , coprime with p, is an endomorphism σ of E defined over F q k such that σ (P) ∈ P (e (P, σ (P)) = 1).
Distortion maps always exist on supersingular elliptic curves but never for ordinary elliptic curves with embedding degree greater than 1 (see [22]). For ordinary curves with k = 1 they can exist only if E[ ] ⊆ E(F q ). Nevertheless, in this case, must satisfy other conditions to guarantee the existence of a distortion map, see Theorem 2.1 of [7].
In this paper, we will study the embedding degree and distortion maps for curves with invariant j = 1728 (i.e. with Weierstrass equation y 2 = x 3 + Ax) and j = 0 (curves with equation y 2 = x 3 + B). These curves are well studied in the classical theory of elliptic curves [21]. Since the Weierstrass form of these curves is very simple, addition and doubling can be computed efficiently. These curves can be supersingular or ordinary and we consider both cases separately. Elliptic curves with j = 0 and embedding degree 1 have been studied recently in [13] by Kirlar. Our interest is focused on the characterization of families of curves for different small embedding degrees and not on implementation considerations, such as performance and cryptographic security requirements.
The paper is structured as follows. Section 2 recalls some basic information on elliptic curves with j-invariant 0 and 1728. Section 3 is devoted to supersingular curves, while ordinary elliptic curves are studied in Section 4. Finally, some particular families and examples are given in Section 5. From numerical experiments, we can deduce that the number of elliptic curves of the families with embedding degree 1 or 2 closely approaches the expected value given by the Bateman-Horn's conjecture [3].

Elliptic curves with j-invariant 0 and 1728
Isomorphism classes and some information about the cardinality of the elliptic curves with jinvariant 1728 or 0 were provided in [19]. In the present paper we will use those number theoretic results as a tool and apply them to the aim stated above. In order to be self-contained, in this section, we recall such results from [19].
Both curves are supersingular. (ii) If q ≡ 1 (mod 4) then there exist four isomorphism classes with representatives, where ω is a generator of F q * . For p ≡ 3 (mod 4), so r even, these curves are supersingular, otherwise the curves are ordinary.
Remark The curve E 0 and its quadratic twisted E 2 are independent of the particular generator ω, but E 1 , E 3 can be interchanged when changing it.
Both curves are supersingular. (ii) If q ≡ 1 (mod 3) then there exist six isomorphism classes with representatives, where ω is a generator of F q * . For p ≡ 2 (mod 3), so r even, these six curves are supersingular, otherwise the curves are ordinary.
Remark E 0 , E 1 and E 2 are respectively a quadratic twist of E 3 , E 1 and E 5 . There is an ambiguity in the identification of E 1 or E 5 (resp. E 2 and E 4 ). They depend on the generator ω we take for F q * . For instance, giving two generators ω, ω such that ω = (ω ) j ; j ≡ 5 (mod 6) then the curve E 1 : y 2 = x 3 + ω could be also read as E 5 : y 2 = x 3 + (ω ) 5 . Only E 0 , E 3 are independent of the particular generator ω.

The supersingular case
The taxonomy of supersingular elliptic curves and their embedding degree is well established, see for instance [16]. The determination of the cardinality of supersingular curves with j = 1728 or 0 is already given in [19] and consequently their insertion in such classification is easy. We summarize those results in the following sections, giving also a distortion map for each curve. Some of these distortions can be found in [5], while others are adaptations of the general method suggested in [22].

Supersingular curves with j = 1728
The cardinality of these curves is given by the following result.
Curves with Equation (1) have embedding degree k = 2. According to [16] their groups of points are isomorphic to either Z/(q + 1)Z or Z/(q + 1)/2Z × Z/2Z. For any prime divisor = 2 of their group order and for any P = (x, y) of order a distortion map is given by Since √ −1 ∈ F q , both points P and σ (P) are linearly independent over F q . The curves E 1 , E 3 have cyclic groups and embedding degree k = 2. Now as √ −1 ∈ F q , then Equation (5) is not a distortion map. Nevertheless, we can take (for any prime = 2) the map, The curves E 0 , E 2 have rational groups Z/( √ q ∓ 1)Z × Z/( √ q ∓ 1)Z and embedding degree k = 1. Since these groups contain the full group of -torsion, the map given in Equation (5) is also a distortion map for any point P of order , except if P is an eigenvector for the endomorphism σ .

Supersingular curves with j = 0
The cardinality of these curves is given by the following result.
(iii) E 1 and E 4 are quadratic twist. The same occurs with E 2 and E 5 . E 1 and E 5 have cardinality q + 1 ± √ q and E 2 and E 4 have cardinality q Curves with Equation (3) have embedding degree k = 2 and group cyclic or isomorphic to Z/(q + 1)/2Z × Z/2Z. For any prime divisor = 3 dividing the cardinality and for any P = (x, y) of order a distortion map is given by with 1. For any prime = 3 dividing #E(F q ) the above map is a distortion map for any point P = (x, y) not eigenvector of σ . The four curves E 1 , E 2 , E 4 , E 5 have cyclic groups, embedding degree k = 3 and if α ∈ F q 3 such that α 3 = ω i , i = 1, 2, 4, 5, a distortion map is:

The ordinary case
Several constructions of ordinary elliptic curves with small embedding degree can be found in the literature, for example [2], [5, Chapter IX], [9,11,13,14,17]. Most of them are based on the following idea: Given an embedding degree k, look for a suitable equation t 2 − 4q = Dh 2 with a small D and then determine an elliptic curve with discriminant D and cardinality q + 1 − t using the complex multiplication method. Our approach is, in some way, opposite to this because we impose D = −1, −3 (i.e. j = 1728, 0) and we look for suitable values of and q that guarantee the desired k. According to Propositions 2.1 and 2.3, elliptic curves over F q , q = p r are ordinary if j = 1728 and p ≡ 1 (mod 4) and if j = 0 and p ≡ 1 (mod 3). To characterize when these elliptic curves have low embedding degree we will take advantage of the following result, given by Cocks and Pinch [6]. Thus, as t is the trace of the Frobenius endomorphism π , first we have to impose conditions for it, so that one of four elements in Z[ , with norm q has the right trace. Then we have to decide which of the four curves E i (respectively six curves E i ) corresponds to such π. For this purpose, Lemmas 2.2 and 2.4 will be useful.
To continue, we will study separately the cases of embedding degree k = 1, 2 and higher.

Embedding degree 1
According to Lemma 4.1, the trace of the Frobenius endomorphism of an elliptic curve with embedding degree k = 1 with respect to must be t ≡ 2 (mod ). We first consider elliptic curves with j = 1728. In this case, the endomorphism ring O is Such a curve has cardinality (m 2 + n 2 ) 2 .
Theorem 4.2 does not specify which of the four curves E i has embedding degree 1, but from Lemma 2.2 we can give more information. If m is even, t i ≡ 2 (mod 4) and i = 0 or 2. Moreover, for an odd prime, we can distinguish between the curves: E 0 corresponds to m ≡ 0 (mod 4) and E 2 to m ≡ 2 (mod 4). So, we can establish a necessary and sufficient condition to ensure that the elliptic curve E 0 or E 2 has embedding degree 1 with respect to . On the other hand, if m is odd, the curve would be E 1 or E 3 . These last curves can not be distinguished since the correct trace depends on the chosen generator of F q * . Koblitz and Menezes show in [14] that over any prime field F p , p = 1 + b 2 , the curve y 2 = x 3 − x has embedding degree 1 for any prime divisor of b if 4 | b and also the curve . It is worth noticing that over F p both curves are isomorphic to E 0 and they are precisely those obtained taking in Theorem 4.2 the values m = 0 and b = n (n even). A special case is also presented in [11].
In order to provide distortion maps for these curves, we must check that E[ ] ⊆ E(F q ). Lenstra ( [15]) describes how to compute the group structure of an elliptic curve via its endomorphism ring.  [15]). Since Thus, distortion maps can exist for a -torsion group, but it is also necessary to check the behaviour of in O K = Z[ √ −1] as mentioned in [7]. Let σ (x, y) = (−x, √ −1y), clearly σ is an endomorphism of E. Since the action of σ on E[ ] has characteristic polynomial X 2 + 1 it is clear that σ is a distortion map for any point P such that is not an eigenvector for it, which only occurs if ≡ 1 (mod 4). Now we consider the case j = 0. The endomorphism ring for an elliptic curve with j = 0 is the maximal order in K = Q( Theorem 4.5 One of the six curves E i : y 2 = x 3 + ω i has embedding degree 1 with respect to if and only if Such a curve has cardinality (3n(n − m) + m 2 ) 2 .
Replacing these values for a, b in the norm of π the result follows.
From Lemma 2.4 if m is even, the specific curve with embedding degree 1 is E 0 or E 3 . Moreover, since > 3, E 0 corresponds to m ≡ 0 (mod 6) and E 3 corresponds to m ≡ 2, 4 (mod 6). The curve E 4 is a quadratic twist of E 1 and E 5 of E 2 . Hence t 1 ≡ t 5 (mod 6) and t 2 ≡ t 4 (mod 6). However, these curves cannot be distinguished since the trace depends on the generator ω.
Kirlar studies in [13] the curves y 2 = x 3 − c over F p and he shows that y 2 = x 3 − 1 has embedding degree k = 1 over F p , where p = 1 + 27c 2 for some natural c. Over F p , Kirlar's curve is exactly E 0 and it corresponds to m = 0 and c = n in Theorem 4.5. A different case is also presented in [11], the curve y 2 = x 3 + b over F p , p = r 2 + r + 1, r ≡ 2 (mod 3) where b is neither a square nor a cube. This curve is isomorphic to E 1 or E 5 (it depends on ω) and it corresponds to the case m = n = 1.
As for the j = 1728 case, group structure of the elliptic curve can be computed. Proof This proof is similar to that of Lemma 4.3 taking into account that now the endomorphism ring is As before a distortion map can be given using the results of [7].
Corollary 4.7 If E i is an elliptic curve with j = 0 and embedding degree 1, the map σ (x, y) = (ζ 3 x, y), where ζ 3 is a cubic root of unity modulo , will be a distortion map for any point P of prime order > 3, except if ≡ 1 (mod 3) and P is an eigenvector for σ (there are 2 − 2 such points).

Embedding degree 2
An elliptic curve with embedding degree k = 2, with respect to an odd prime , must have trace t ≡ 0 (mod ) (Lemma 4.1). Similarly, like the case k = 1, we can obtain conditions to ensure that the curves E i or E i have embedding degree k = 2. Proofs for these results are similar to those of the results in Section 4.1 and we omit them for simplicity.
For j = 1728, we have: Theorem 4.8 One of the four curves E i : y 2 = x 3 + ω i x has embedding degree 2 with respect to if and only if q = m 2 2 + n − 1, m ≡ n (mod 2) and n − 1 is a square.
For odd integers m, the obtained curve would be E 0 or E 2 , and both cases can be distinguished according to the congruence of t/2 modulo 4. That is, for m ≡ 1 (mod 4) the curve is E 0 , otherwise it is E 2 . For even integers m the corresponding curve is E 1 or E 3 (depending on the generator ω). Since k = 2 there are no distortion maps in this case. The group structure can be easily computed.
The cardinality of the suitable curve is q + 1 − m .
As the trace for these curves is m , the involved curves are E 0 or E 3 if and only if m is even. Moreover, not all values of m, n are admissible, for example, if n = 1 and m is even then q is an even integer. Also, if n = 2, 3, 6 then is not a prime number (not even an integer).

Higher embedding degree
Here, we will sketch the general method to find an elliptic curve E with embedding degree k ≥ 3 for some and j-invariant 1728 or 0. Now, in Lemma 4.1, the kth-root of the unity ζ k depends on the value of . Assume we have fixed a particular value of and ζ k . So, the trace of E can be written as 1 + ζ k + m for some integer m. If j = 1728, then it follows that a = ((1 + ζ k )/2 (mod )) + m , and for j = 0, we have b = (1 + ζ k − 2a (mod )) + n where a, b are the coefficients of the Frobenius endomorphism π. Since divides the cardinality of the curve it is easy to check that q ≡ ζ k (mod ). Replacing the previous expressions in q = N(π ), when j = 1728 we have b 2 = (−(1 − ζ k ) 2 /4 (mod )) + n for some integer n. When j = 0, a must satisfy the equation 0 ≡ 3a(a − ζ k − 1) + ζ 2 k + ζ k + 1 (mod ). Finally, for the computed values of a and b, q must be expressed in a particular form (as in Theorems 4.2, 4.5, 4.8 and 4.10).
For instance, for k = 3, we have the following. (i) One of the four curves E i : y 2 = x 3 + ω i x has embedding degree 3 with respect to if and only if and (3ζ 3 /4 (mod )) + n is a square in the integers. (ii) One of the six curves E i : y 2 = x 3 + ω i has embedding degree 3 with respect to if and only if The group structure for the corresponding curves can also be computed for specific values , m, n and the correct ζ 3 .

Numerical examples
In this section, we present examples of ordinary elliptic curves with low embedding degree (1, 2, 3 or higher) and j-invariant 0 or 1728. The construction of these curves is based on the above theorems. Tables 1 and 2 list some families of elliptic curves constructed following Theorems 4.2, 4.5, 4.8, 4.10, while Table 3 lists elliptic curves with embedding degree 3 following Theorem 4.12. In Table 4, we present some examples of elliptic curves with embedding degree k, 4 ≤ k ≤ 10, and k = 12, 16, 24 following the general method (see Section 4.3).
These tables are divided into two blocks. In the first block elliptic curves with j-invariant 1728 are presented, while the second one corresponds to curves with j-invariant 0. For embedding degree 1 or 2 we show three different families of elliptic curves. For each family we present the general form (for some values of m, n) (on odd numbered lines) as well as a toy example for a particular prime (on even lines) with the same parameters for m, n and the same curve as the previous line.
For these families of elliptic curves with embedding degree 1, we always take to be an odd prime number, but we could also give elliptic curves for any natural number in the above constructions. In these cases, the embedding degree is taken over an odd prime divisor of . For example, if we take m = −1, n = 1 in Theorem 4.2, we obtain for = 4060 that the elliptic curve E 0 over F q , q = p 2 where p = 5741 has embedding degree 1 for the primes 5, 7 and 29. In this way, different values for m, n, can produce the same curve. For example, taking m = −20,     Table 1, searching for which is a Solinas prime (i.e. sum or difference of a small number of powers of 2).
Note that the group structure for elliptic curves in the families in Table 2 with j = 1728 is never cyclic. However, there are other examples where it is cyclic. If we take m = 4 and n = 2 in Theorem 4.8 and = (C 2 + 1)/2 a prime, the corresponding curve has cyclic structure. This is never possible for embedding degree 1, as is shown in Lemma 4.3. For higher embedding degrees, as the finite field depends on the k-root of the unity modulo , in Tables 3 and 4 we present some particular examples (not a general family).
It is known that pairing-friendly elliptic curves are sparse (see [1,10,12]). Moreover, since elliptic curves with j-invariant 1728 or 0 are exactly those whose endomorphism ring is Z[ √ −1] or Z[(1 + √ −3)/2], then their presence is quite rare. Bateman-Horn's conjecture [3] allows us to suggest that there exist elliptic curves in the families presented in Tables 1 and 2 for any bit length size of the prime (and so for q). Indeed, the Bateman-Horn's conjecture provides a conjectured density for the positive integers at which a given system of polynomials all have prime values. Figure 1 shows, for each N up to 10 6 , the number of values ≤ N (and so the number of elliptic curves in the corresponding family) such that the involved polynomials (in two of our families) simultaneously take prime values (continuous line). Moreover, we show the corresponding value given by the Bateman-Horn's conjecture (dashed line). More precisely, Figure 1(a) shows the case and q = 4 2 + 1 are prime numbers (first family in Table 1) and Figure 1(b) shows the case = 3C 2 + 1, q = 2 + 3C 2 − 3C are primes (fourth family in Table 2). Hence, we can conclude, for its concordance with the Bateman-Horn's conjecture, that there are infinitely many elliptic curves in our families.
A challenging open question is to prove directly the existence of infinitely many curves in some of our families (disregarding the Bateman-Horn's conjecture). For instance, in Table 2 we can find quadratic binary forms a 2 + bC + cC 2 for expressing q. Relaxing the condition prime, we could apply well-known results over the theory of primes represented by binary quadratic forms (see for example [8]). However, since C and are not independent, it is not so simple to prove it (see Theorem 4.10).