Factoring Polynomials for Constructing Pairing-friendly Elliptic Curves

In this paper we present a new method to construct a polynomial $u(x) \in \mathbb{Z}[x]$ which will make $\mathrm{\Phi}_{k}(u(x))$ reducible. We construct a finite separable extension of $\mathbb{Q}(\zeta_{k})$, denoted as $\mathbb{E}$. By primitive element theorem, there exists a primitive element $\theta \in \mathbb{E}$ such that $\mathbb{E}=\mathbb{Q}(\theta)$. We represent the primitive $k$-th root of unity $\zeta_{k}$ by $\theta$ and get a polynomial $u(x) \in \mathbb{Q}[x]$ from the representation. The resulting $u(x)$ will make $\mathrm{\Phi}_{k}(u(x))$ factorable

Polynomials for Ate Pairing and Atei\mathbf{Ate}_{i} Pairing

The irreducible factor $r(x)$ of $\mathrm{\Phi}_{k}(u(x))$ and $u(x)$ are often used in constructing pairing-friendly curves. $u(x)$ and $u_{c} \equiv u(x)^{c} \pmod{r(x)}$ are selected to be the Miller loop control polynomial in Ate pairing and $\mathrm{Ate}_{i}$ pairing. In this paper we show that when $4|k$ or the minimal prime which divides $k$ is larger than $2$, some $u(x)$ and $r(x)$ can not be used as curve generation parameters if we want $\mathrm{Ate}_{i}$ pairing to be efficient. We also show that the Miller loop length can not reach the bound $\frac{\mathrm{log_{2}r}}{\varphi(k)}$ when we use the factorization of $\mathrm{\Phi}_{k}(u(x))$ to generate elliptic curves