Heuristics of the Cocks-Pinch method

We heuristically analyze the Cocks-Pinch method by using the Bateman-Horn conjecture. Especially, we present the first known heuristic which suggests that any efficient construction of pairing-friendly elliptic curves can efficiently generate such curves over pairing-friendly fields, naturally including the Cocks-Pinch method. Finally, some numerical evidence is given.

1. Introduction 1.1. Motivation. Mainly inspired by the following pioneering works: three-party one-round key agreement [17], identity-based encryption [4,27], short signature scheme [6], easing the cryptographic applications of pairings [30] and efficient computation of pairings associated to elliptic curves [22], there has been a flurry of activity in the design and analysis of cryptographic protocols by using pairings on elliptic curves. More in-depth studies of pairing-based cryptography can be found in the expository articles [14,26], and in the extensive research literature.
The elliptic curves suitable for implementing pairing-based systems should have a small embedding degree with respect to a large prime-order subgroup. We call them pairing-friendly elliptic curves. More precisely, a pairing-friendly elliptic curve over a finite field F q contains a subgroup of large prime order r such that for some k, r|q k − 1 and r ∤ q i − 1 for 0 < i < k, and the parameters r, q and k should satisfy the following conditions: • r should be large enough so that the Discrete Logarithm Problem (DLP) in an order-r subgroup of E(F q ) is infeasible. • k should be sufficiently large so that DLP in F * q k is intractable. • k should be small enough so that arithmetic in F q k is feasible.
Here, k is called the embedding degree of E with respect to r, and the ratio log q log r is called the rho-value of E with respect to r. There is a specific definition for pairing-friendly elliptic curve in [12,Definition 2.3], that is, it should meet r ≥ √ q and k ≤ log 2 (r)/8, where log 2 is the binary logarithm.
These conditions make pairing-friendly curves rare, and they can not be constructed by random generation. This naturally produces two important problems: The earliest constructions of pairing-friendly curves involved supersingular curves. However, on the one hand due to MOV attack [21], Frey-Rück reduction [13] and most recently [16], supersingular curves are widely believed to have some cryptographic weaknesses; on the other hand, for supersingular curves the embedding degree k has only 5 choices, i.e. k ∈ {1, 2, 3, 4, 6}. Thus, it seems quite important to construct ordinary curves with the above properties.
After consecutive efforts of many researchers, many methods for constructing ordinary curves have been found. An exhaustive survey can be found in [12], where the authors gave a coherent framework of all existing constructions. Unfortunately, none of these constructions has been rigorously analyzed. Even heuristic analysis is far from sufficiency except for the so-called MNT curves [23]. For the heuristic analysis of MNT curves, see [20,29]. Most recently, a heuristic asymptotic formula for the number of isogeny classes of pairing-friendly curves over prime fields was presented in [8], and some heuristic arguments about Barreto-Naehrig family [2] were also given therein.
It is widely accepted that the Cocks-Pinch method [9] is one of the most flexible algorithms for constructing pairing-friendly curves, such as with many curves possible, with arbitrary embedding degree, with prime-order subgroups of nearly arbitrary size, and so on. We recall it in Section 2.
In addition, pairing-friendly fields were introduced by Koblitz and Menezes [18] as an efficient way to implement cryptographic bilinear pairings. They define a field F p k as being pairing-friendly if the prime characteristic p ≡ 1 (mod 12) and the embedding degree k = 2 i 3 j , i > 0. If j = 0, it only needs p ≡ 1 (mod 4). Definitely pairing-friendly curves over pairing-friendly fields are attractive.

1.2.
Main results. In this paper, firstly we give two different kinds of heuristics to justify the same asymptotic formula about the Cocks-Pinch method. This confirms the general consensus that most curves constructed by this method have rho-value around 2. One is borrowed directly from [8], the other is based on the Bateman-Horn conjecture. Finally, we will see that the formula is compatible with numerical data. The reason we present the latter one is that in many cases the Bateman-Horn conjecture is indispensable for such heuristics, for example see [29]. Through the comparison here, we can say that such heuristics based on the Bateman-Horn conjecture are likely to be reasonable.
Secondly, we present the first known heuristics about pairing-friendly curves over pairing-friendly fields. The heuristics suggest that any efficient construction of pairing-friendly curves is also an efficient construction of such curves over pairingfriendly fields, naturally including the Cocks-Pinch method. Especially, the heuristics will be confirmed by the numerical data from the Cocks-Pinch method.
1.3. Preliminary and Notation. Let Φ k be the k-th cyclotomic polynomial. The existing constructions of ordinary curves with small embedding degree typically work in the following two steps.
Since r|Φ k (q), k is the multiplicative order of q modulo r and then k|r − 1. In order to satisfy practical requirements, k should be reasonably small, while the rho-value should be as small as possible, preferably close to 1.
Unfortunately, the second step above is feasible only if t 2 − 4q has a very small square-free part; that is, if the so-called CM equation with some integers u and D, where D is a small square-free positive integer. In this case, for example when D ≤ 10 13 (see [28]), E can be efficiently constructed via the CM method (see [1,Section 18.1]). Here, D is called the CM discriminant of E. Recall that a well-known kind of constructions of pairing-friendly curves with k and D fixed is called the complete polynomial family. Briefly speaking, the idea is to parameterize r, t, q, u as polynomials and then choose r(x), t(x), q(x), u(x) satisfying Conditions (1.1) and (1.2) for any x. Here we define the ratio deg q(x) deg r(x) as the rhovalue of the family. See [12, Section 2.1] for more details.
Throughout the paper, we use the Landau symbols O and o and the Vinogradov symbol ≪. We recall that the assertions U = O(V ) and U ≪ V are both equivalent to the inequality |U | ≤ cV with some constant c, while U = o(V ) means that U/V → 0.
In this paper, we also use the asymptotic notation ∼. Let f and g be two real functions with respect to x, both of them are strictly positive for sufficiently large x. We say that f is asymptotically equivalent to g as x → ∞ if f (x)/g(x) → 1 when x → ∞, denoted by f (x) ∼ g(x).

Heuristics of the Cocks-Pinch method
2.1. Background on the Cocks-Pinch method. In an unpublished manuscript [9], Cocks and Pinch proposed an algorithm for constructing pairing-friendly curves with arbitrary embedding degree. More precisely, see [12,Theorem 4.1] or [14,Algorithm IX.4], fix an embedding degree k and a CM discriminant D, then execute the following steps: Step 1. Choose a prime r such that k|r − 1 and −D is square modulo r.
Step 2. Choose an integer g which is a primitive k-th root of unity in (Z/rZ) * .
Step 3. Put t ′ = g + 1 and choose an integer Step 4. Let t ∈ Z be congruent to t ′ modulo r, and let u ∈ Z be congruent to u ′ modulo r. Put q = (t 2 + Du 2 )/4. Step 5. If q is an integer and prime, then there exists an elliptic curve E over F q with an order-r subgroup and embedding degree k. If D is not to large, then E can be efficiently constructed via the CM method. First, we notice that every triple (r, t, q) satisfying Conditions (1.1) and (1.2) with q prime can be generated by the Cocks-Pinch method.
Given a real number ρ > 0, let F k,D,ρ (x) be the number of triples (r, t, q) constructed by the Cocks-Pinch method with fixed k and D such that q is an odd prime, r ≤ x and q ≤ r ρ . The previous paragraph implies that there is a natural one to one correspondence between the triples (r, t, q) here and the triples in [8,Estimate 1]. The reason we use the parameter q in the triples here is that we want to underline its importance.
In the sequel, first we will extend [8, Estimate 1] to all ρ > 1 for F k,D,ρ (x), for the sake of completeness. Then we will give another approach to this heuristic formula by applying the Bateman-Horn conjecture. In Section 4, we will see that this formula is compatible with numerical data.

2.2.
Heuristics from algebraic number theory. As the above discussions, Boxall [8, Estimate 1] actually got a heuristic asymptotic formula for F k,D,ρ (x) when 1 < ρ < 2. (2) If there exists a complete polynomial family (r(x), t(x), q(x)) of pairingfriendly curves with rho-value 1, embedding degree k and CM discriminant D, then ρ > 1 + 1 deg r(x) . Then we have the following heuristic asymptotic formula Proof. For the heuristic arguments of [8, Estimate 1], the condition 1 < ρ < 2 is only used in [8, Page 87, Step 3]. Notice that the number of prime ideals of Q( √ −D) with norm bounded by x is asymptotically equivalent to x log x as x → ∞, but the number of prime ideals with norm bounded by x and underlying prime number inert is O( √ x log √ x ). So, as x → ∞, we can get the same heuristic formula when ρ ≥ 2.
As explained in [8], without the two assumptions in Estimate 2.1, the asymptotic formula may not hold any more. In particular, if there exists a complete polynomial family with rho-value 1, embedding degree k and CM discriminant D, then this family can generate more triples than predicted by (2.1). For example, the Barreto-Naehrig family is currently the only known complete polynomial family with rhovalue 1, for this family k = 12, D = 3 and deg r(x) = 4, see Table 7 for numerical data.
Now we want to say more about the parameters in (2.1). It is well-known that w D is given by the following formula: Furthermore, by the well-known Dirichlet's class number formula of imaginary quadratic fields (for example see [10, Exercise 10.5.12]), we know is the Kronecker symbol. Based on the following lemma, we can get another version of the above proposition, that is, We are sure that the lemma is well-known. It is more convenient to give a simple proof rather than find some references. We will use it later.
Lemma 2.2. For any real numbers a, m, s with a > 1 and s < 1, we have Proof. Integrating by parts, we obtain We choose a positive real number A such that A > a and log It is widely accepted that the rho-value of curves produced by the Cocks-Pinch method tends to be around 2. From (2.3) we can easily see that when ρ is close to 1, the curves with relevant rho-value are rare among the whole family constructed by the Cocks-Pinch method.

2.3.
Heuristics from the Bateman-Horn conjecture. The Bateman-Horn conjecture has been used to analyze some constructions of pairing-friendly elliptic curves, see [8,29]. In this subsection, applying the Bateman-Horn conjecture we will give another approach to justify the heuristic asymptotic formula of F k,D,ρ (x) in Estimate 2.1.
The Bateman-Horn conjecture provides a conjectured density for the positive integers at which a given system of polynomials all have prime values, see [3]. We recall it here for the conveniences of readers.
Given any finite set F = {f 1 , f 2 , · · · , f m } consisting of irreducible polynomials f 1 (T ), · · · , f m (T ) ∈ Z[T ] with positive leading coefficients and such that there is no prime p with p|f 1 (n) · · · f m (n) for every integer n ≥ 1, the Bateman-Horn conjecture says where C(F ) is given by the conditionally convergent infinite product and Based on Lemma 2.2, we can get another version of the Bateman-Horn conjecture, that is, which we will use in the sequel.
Notice that the ring of integer of Q( is an algebraic integer of Q( √ −D), t and u must have the same parity if D ≡ 3 (mod 4), and otherwise both of them must be even.
Proof. We investigate the first four steps of the Cocks-Pinch method one by one.
Let r ≥ 2 be any integer. The probability that r is prime is 1/ log r, here we use the regular heuristic that the probability of a random integer n to be prime is 1/ log n. Since k has finitely many prime factors, for an arbitrary prime r, the probability that r ∤ k is 1. Notice that there are ϕ(k) residue classes modulo k which consist of integers prime to k, the probability that r is prime and k|r − 1 is Since k|r − 1, r splits completely over Q(ζ k ). Therefore, if Q( , the probability that −D is square modulo r is 1/2. So the probability that −D is square modulo r is e(k, D)/2.
When r is fixed, the number of choices of g is ϕ(k). After fixing g, t ′ is fixed and u ′ has two choices.
Thus, for an arbitrary integer r ≥ 2, the probability that r satisfies Steps 1, 2 and 3 is e(k, D)/ log r. Moreover, it also needs that r ≥ 5. In the sequel, we investigate Step 4.
Since D ≡ 1, 2 (mod 4), t and u must be even. So it is equivalent to count the number of integer pairs (t, u) such that q = t 2 + Du 2 is prime with q ≤ r ρ . Then for the integers t and u, we have |t| ≤ √ r ρ and |u| ≤ r ρ /D. Notice that the ratio between the area of the ellipse Λ : t 2 + Du 2 = r ρ and that of the rectangle Ω = {(t, u) : |t| ≤ √ r ρ , |u| ≤ r ρ /D} is π/4. Now we assume that the ratio of the number of integer pairs (t, u) in Λ and that in Ω is π/4. Subsequently, we first count the number of (t, q) with q = t 2 + Du 2 prime, t ≤ √ r ρ and u ≤ r ρ /D, and then to get the final result we need to multiply this amount by π/4 . For every integer u ≥ 1, let f u (T ) = T 2 + Du 2 ∈ Z[T ]. For F = {f u }, it satisfies the required conditions. By the Bateman-Horn conjecture, we have where It is easy to see that We also set g(2 n ) = 1 for any integer n ≥ 0. This makes g(u) a multiplicative function. Notice that Obviously, C(f u ) = C(f 1 ) · g(u). Then we have Here we need an asymptotic formula for Notice that g(u) is a multiplicative function and 1 − 1/p ≤ g(p) ≤ 1 + 3 p for any prime p. Recall the Mertens' second theorem where B 1 is an absolute constant (see [15,Theorem 427]). Then, we get where π(X) is the number of primes less than or equal to X. Then by [11, Proposition 4] , we have S(X) = (C g + o(1))X, where Notice that g(p n ) = g(p) for any prime p and any n ≥ 1. Then, we have Thus, where L D has been defined in (2.2). Hence, Note that t can be a negative integer. We also note that if t ′ and u ′ are fixed, then the residue classes modulo r which t and u belong to are also fixed. So the expected number of pairs (t, q) associated to a triple (r, t ′ , u ′ ) with q ≤ r ρ is asymptotically equivalent to as r → ∞. Therefore, we have For the Cocks-Pinch method, it is fortunate that we can apply two different kinds of heuristics. But in general, the Bateman-Horn conjecture is indispensable when investigating the constructions of pairing-friendly curves. Estimate 2.3 tells us that such investigations based on the Bateman-Horn conjecture are likely to be reasonable.

2.4.
Remark. Boneh, Rubin and Silverberg [7] have found that the Cocks-Pinch method can be used to construct elliptic curves with embedding degree k with respect to r, where r is a large composite number. This kind of elliptic curves was first used by Boneh, Goh and Nissim [5] for partial homomorphic encryption, and now they have a number of other important applications in cryptography. The methods of this section could also be applied to obtain heuristic estimates in this context.

Involving Pairing-friendly Fields
In this section, we want to heuristically count the number of triples (r, t, q) constructed by the Cocks-Pinch method such that q is a prime and q ≡ 1 (mod 4 or 12) .
Let G k,D,ρ (x) be the number of triples (r, t, q) constructed by the Cocks-Pinch method with fixed k and D such that q is an odd prime, q ≡ 1 (mod 4), r ≤ x and q ≤ r ρ . Let H k,D,ρ (x) be the number of such triples (r, t, q) when we furthermore require that q ≡ 1 (mod 12).
From the CM equation: q = t 2 +Du 2
Proof. Since 3|D, t 2 + Du 2 ≡ t 2 ≡ 1 (mod 3) holds only if 3 ∤ t. Assume that 3|t. Then we have 3|q, thus q = 3. Then t = 0, D = 3 and u = ±2. Since r|q + 1 ± t and r ≥ 5, there is no possible r. So we must have 3 ∤ t, and thus we always have t 2 + Du 2 ≡ 1 (mod 3).  , t and u must be even. Notice that since D and q are odd, t 2 and u 2 must have different parities. Thus it is always true that q ≡ 1 (mod 4). So we prove (1).
(2) Since q ≡ 1 (mod 4), we know that q ≡ 1 (mod 12) if and only if t 2 + Du 2 ≡ 1 (mod 3). Then (2) follows from Proposition 3.1. , we see that t 2 + Du 2 ≡ 1 (mod 3) if and only if q ≡ 1 (mod 3). Furthermore, whether q ≡ 1 (mod 3) or not only depends on the splitting behavior of q in Q( √ −3). Notice that since 3 ∤ D, we have H D ∩ Q( √ −3) = Q. Therefore, the splitting behaviors of q in H D and in Q( √ −3) are independent. Subsequently, the two events that q is a prime and q ≡ 1 (mod 3) are independent. So by Dirichlet's theorem on arithmetic progressions, asymptotically as X → ∞ half of the primes q ≤ X constructed by the Cocks-Pinch method satisfy q ≡ 1 (mod 3). Then, the desired result follows. For the case D ≡ 2, 3 (mod 4), the heuristics are also straightforward.
Estimate 3.6. Assume that k ≥ 3 and D ≡ 2, 3 (mod 4). Then the following hold heuristically. ( We divide the proof into three parts according to three cases. (I) Assume that D ≡ 2 (mod 4).

4
, t and u must be even. Notice that since D is even and q is odd, t 2 must be odd. Then ( t 2 ) 2 +D( u 2 ) 2 ≡ 1 (mod 4) holds only if u 2 is even. Suppose that the even parity and odd parity of u 2 have the same probability. Then the probability that q ≡ 1 (mod 4) is 1/2, which proves (1).

4
, t and u must have the same parity. Furthermore, since D ≡ 7, 15 (mod 16), we claim that t and u must be even.
Suppose that t and u are odd. Consider the CM equation 4q = t 2 + Du 2 . Since q is odd, 4q is equal to 4 or 12 modulo 16. But t 2 + Du 2 is equal to 0 or 8 modulo 16 under the condition D ≡ 7, 15 (mod 16). This leads to a contradiction.
Since D and q are odd, t 2 and u 2 must have different parities, which is naturally divided into two cases. Suppose that these two cases have the same probability. Then the probability that ( t 2 ) 2 + D( u 2 ) 2 ≡ 1 (mod 4) is 1/2, which proves (1). (2) and (3) Apply the same arguments as (I).
First suppose that both of t and u are even. The deduction and the result of this case are the same as (II). Now suppose that both of t and u are odd. Notice that when n is an odd integer, then n 2 ≡ 1, 9 (mod 16). In this case, pairs (t 2 , u 2 ) can be divided into four classes according to the residue classes modulo 16 which t 2 and u 2 belong to. Suppose that all the four classes have the same probability. Then, when D ≡ 3, 11 (mod 16), the probability that t 2 + Du 2 ≡ 4 (mod 16) is 1/2.
Notice that we obtain the same result for the two parities, then the probability that q ≡ 1 (mod 4) is 1/2. So we prove (1).
From the above results, the heuristics suggest that pairing-friendly curves over pairing-friendly fields can be efficiently constructed by the Cocks-Pinch method. Notice that there are 18 cases in the above proofs according to D modulo 4 or 16 and D modulo 3. In the next section, we will see that the heuristic results of this section are compatible with numerical data.
Remark 3.7. Notice that the above heuristics are independent of the Cocks-Pinch method, they can be applied to any other constructions. So we can say that any efficient construction of pairing-friendly curves is also an efficient construction of pairing-friendly curves over pairing-friendly fields.

Numerical Evidence
For testing Estimate 2.1 and the heuristic results in Section 3, we write a programme in PARI/GP [25] to execute the Cocks-Pinch method for searching all the triples (r, t, q) with k, D and ρ being given, and r in some interval [a, b].
For given k, D, ρ, a and b, we denote by N 1 (k, D, ρ, a, b) the number of triples (r, t, q) as in Estimate 2.1 with a ≤ r ≤ b. We denote by N 2 (k, D, ρ, a, b) (resp. N 3 (k, D, ρ, a, b)) the number of such triples with q ≡ 1 (mod 4) (resp. q ≡ 1 (mod 12)). The outputs of the programme are these three quantities.
For N 1 (k, D, ρ, a, b), under some assumptions, there exists a heuristic formula from Estimate 2.1, stated as follows Let I 1 = e(k, D) −1 I(k, D, ρ, a, b). Then I 1 depends only on D and ρ but not on k.
In Section 3, we present some definite or heuristic results about the relations among N i (k, D, ρ, a, b), i = 1, 2, 3. We list them as follows, if D ≡ 1 (mod 4) and D ≡ 0 (mod 3), Similar as I 1 and by (4.2) and (4.3), we define I 2 and I 3 by analogy with N 2 (k, D, ρ, a, b) and N 3 (k, D, ρ, a, b), respectively.
In this section, we will test all these results by numerical data.
The explanations of Tables 4, 5 and 6 are the same as Tables 1, 2 and 3, respectively. Here, we choose another choices of D to exactly cover the 18 cases in Section 3.
Although Tables 1-6 show that (4.2)-(4.4) are supported by numerical data, there is some discrepancy between the expected values and the calculated values. For Tables 1 and 4, this is expected. Because for the Bateman-Horn conjecture, there seems to be no good conjecture for the remainder, for example see [19] for a discussion of the case of prime pairs. Thus, it may be also a hard problem to find one in the context of Estimate 2.1. The discrepancy in Tables 2, 3, 5 and 6 arises from the assumptions made in Section 3, it seems also hard to make them more precisely. But most of the calculated values and all the average values are close to the expected values, this make us have confidence in the heuristic results. Table 7 gives the values of N i (12, 3, ρ, 10 4 , 10 8 ) for various ρ and i = 1, 2, 3. It shows that there is a big gap between I(12, 3, ρ, 10 4 , 10 8 ) and N 1 (12, 3, ρ, 10 4 , 10 8 ) when ρ < 1.25, because in this case the Barreto-Naehrig family makes the assumptions in Estimate 2.1 not satisfied. But in this exceptional case, (4.2)-(4.4) are also compatible with numerical data.

Acknowledgement
The author would like to thank Prof. Igor Shparlinski for introducing him pairing-friendly elliptic curves and providing lots of stimulating suggestions. He is grateful to Prof. John Boxall for his valuable comments and helpful discussions, which play a very important role in improving this paper. He also thanks Dr. Nicolas Mascot and Dr. Aurel Page for teaching him how to use the PlaFRIM. Finally, he thanks the referee for careful reading and useful comments.