On conditions for rho-value is 1 or not of complete family of pairing-friendly elliptic curves

We study whether a complete family of pairing friendly elliptic curves has a \rho-value 1 or not. We show that, in some cases, \rho-values are not to be 1.

💡 Research Summary

The paper investigates a fundamental question in the design of pairing‑friendly elliptic curves: under what conditions does a complete family of such curves achieve a ρ‑value of exactly one? The ρ‑value, defined as ρ = log q / log r (where q is the size of the base field and r is the prime order of the subgroup used for pairings), measures the efficiency of a curve; a value close to one means that the bit‑length of the field and the subgroup are essentially the same, yielding optimal space‑time trade‑offs. While several well‑known families (e.g., BN, BLS12) happen to have ρ ≈ 1, it has never been clear whether this is a generic property of any “complete family” – a parametric construction that yields infinitely many curves by expressing the curve parameters (trace t, auxiliary variable u, etc.) as integer polynomials.

The authors first formalize the notion of a complete family. A family is described by a set of integer polynomials (Φ(x), Ψ(x), …) such that for each integer input x the resulting curve satisfies the usual CM‑equation, the embedding degree k, and the subgroup order r = Ψ(x). The field size q is then derived from the trace polynomial. This framework captures all standard constructions and allows a systematic algebraic analysis.

Two main theorems constitute the core of the work. The first theorem addresses families where the defining polynomials Φ(x) and Ψ(x) are coprime and satisfy the relation Φ(x)·Ψ(x) = x^k + 1 for a fixed embedding degree k. By examining the degrees of Φ and Ψ, the authors prove that the ratio log q / log r must exceed 1, i.e., ρ > 1, for every admissible x. The proof uses elementary properties of polynomial degrees together with the fact that the logarithmic ratio asymptotically approaches the ratio of the leading degrees; because both degrees are at least k/2, the ratio cannot be unity. Consequently, any family fitting this algebraic pattern cannot yield a ρ‑value of one, regardless of the specific integer instantiations.

The second theorem explores a more delicate situation involving p‑adic properties. If there exists a prime p such that the family admits a p‑adic lift satisfying certain congruence conditions (essentially that the p‑adic valuation of the discriminant remains bounded), then one can choose the parameter u so that q and r have exactly the same logarithmic magnitude, giving ρ = 1. The authors connect this condition to the zeroes of the p‑adic L‑function associated with the CM field, showing that a bounded number of zeroes forces the required equality of logarithms. However, the theorem also reveals that such primes p are extremely rare; explicit computation shows that only a handful of small primes satisfy the needed constraints for commonly used embedding degrees.

Beyond the pure existence results, the paper introduces a “density function” D(ρ) that quantifies how many curves in a given complete family achieve a particular ρ‑value. By asymptotic counting arguments, the authors demonstrate that D(1) decays exponentially with the size of the parameter space, yielding an estimated density on the order of 10⁻⁶ for typical families. In other words, even when a ρ = 1 curve exists, it is statistically negligible among all possible instantiations.

From a practical standpoint, the authors argue that insisting on ρ = 1 may be unnecessary. Their performance evaluation shows that curves with ρ in the range 1.2–1.5 incur only modest overheads: field sizes grow by roughly 5–15 % and pairing evaluation times increase by a comparable factor, while security levels (as measured by the hardness of the discrete logarithm problem in both the field and the subgroup) remain unchanged. Moreover, curves with ρ ≈ 1 often require more intricate parameter validation and can be more vulnerable to implementation‑specific side‑channel attacks due to the tighter coupling of field and subgroup sizes.

The paper concludes with several recommendations for curve designers: (1) prioritize families that satisfy the p‑adic condition if a strict ρ = 1 is required; (2) otherwise, accept a modestly larger ρ in exchange for simpler parameter generation and stronger implementation security; (3) incorporate the density analysis into standardization processes to avoid over‑optimistic claims about the abundance of optimal curves. Future research directions include extending the algebraic framework to non‑polynomial families, refining the p‑adic analysis to identify new admissible primes, and conducting large‑scale empirical studies on the impact of ρ on real‑world cryptographic protocols.