Fast Formulas for Computing Cryptographic Pairings

Transcription

1 Fast Formulas for Computing Cryptographic Pairings Craig Costello Queensland University of Technology May 28, / 47

2 Thanks: supervisors and co-authors Prof. Colin Boyd Dr. Juanma Gonzalez Nieto Dr. Kenneth Koon-Ho Wong Prof. Alice Silverberg (UC-Irvine) Prof. Kristin Lauter (Microsoft Research/UC-San Diego) A. Prof. Huseyin Hisil Dr. Douglas Stebila Prof. Tanja Lange Dr. Michael Naehrig (QUT/Ismir Yasar) (QUT) (T.U. Eindhoven) (T.U. Eindhoven/Microsoft) 2 / 47

3 Motivation Pairings Our work Summary Thanks: funding and institutes 3 / 47

4 Associated Publications **C. Costello, H. Hisil, C. Boyd, J. M. Gonzlez Nieto, and K. K. Wong. Faster pairings on special Weierstrass curves. Pairing Stanford, USA., T. Lange, and M. Naehrig. Faster pairing computations on curves with high-degree twists. Public Key Cryptography Paris, France., C. Boyd, J. M. Gonzlez Nieto, and K. K. Wong. Avoiding full extension field arithmetic in pairing computations. AFRICACRYPT Stellenbosch, South Africa., C. Boyd, J. M. Gonzlez Nieto, and K. K. Wong. Delaying mismatched field multiplications in pairing computations. WAIFI Istanbul, Turkey. **, and D. Stebila. Fixed argument pairings. LATINCRYPT Puebla, Mexico., K. Lauter and M. Naehrig. Attractive subfamilies of BLS curves for implementing high-security pairings. INDOCRYPT Chennai, India., and K. Lauter. Group law computations on Jacobians of hyperelliptic curves. Selected Areas in Cryptography Ontario, Canada.. Particularly friendly members of family trees. In submission. ** significant improvements in thesis 4 / 47

5 1 Motivation 2 Pairings 3 Our work Fast explicit formulas Avoiding F q k arithmetic and fixed argument pairings Attractive subfamilies of pairing-friendly curves 4 Summary 5 / 47

6 Private-key vs. Public-key cryptography BC - WWII: Caesar Mary, Queen of Scots German Enigma Code must communicate beforehand 1970 s: Diffie-Hellman-Merkle Rivest-Shamir-Adleman (RSA) Cocks HUGE BREAKTHROUGH: no need for prior communication!!! 6 / 47

7 Diffie-Hellman (Merkle): a toy example Public values: q = (prime), g = (generator of Z q). Secret values: Alice s secret: a= Bob s secret: b= Alice computes (public key): Bob computes (public key): g a mod q = g b mod q = Bob can compute: Alice can compute: a = = b = g ab Secret keys safe as long as discrete log problem (DLP) is hard Joint secret safe as long as Diffie-Hellman problem is hard 7 / 47

8 Modulus (key) sizes: then and now 1970 s: q = (200-bit prime) NOW: q = (1024-bit prime) 8 / 47

9 Elliptic curves cryptography (ECC) mid 1980 s: Neal Koblitz Victor Miller Use elliptic curve (more abstract) groups instead! y 2 = x 3 + ax + b Subexponential attacks on standard groups don t apply. q = (1024-bit prime) vs. q = (160-bit prime) 9 / 47

10 The elliptic curve group law : chord-and-tangent rule sub l : y = λx + ν into y 2 = x 3 + ax + b (Affine addition) (Affine doubling) λ = y Q y P x Q x P ; ν = y P λx P ; (x P, y P ) (x Q, y Q ) = `λ 2 x P x Q, (λx R + ν). λ = 3x2 P + a 2y P ; ν = y P λx P ; [2](x P, y P ) = (x P, y P ) (x P, y P ) = `λ 2 2x P, (λx R + ν). 10 / 47

11 The pairing explosion Pairings are an extremely powerful primitive that exist on elliptic curves (more generally abelian varieties) Boneh - Franklin They have been used in the past decade to construct many new protocols / solve many cryptographic problems: - Identity-based encryption (IBE), predicate/attribute-based encryption (ABE), hierarchical encryption (HIBE) - group/short/ring signatures - (partially) homomorphic encryption - many many more / 47

12 The need for speed... First implementation [Menezes 1993]: a few minutes hundreds of papers on faster pairing computation Current record-holding implementation [Aranha et al. 2010]: less than a millisecond 12 / 47

13 Pairings / 47

14 What s a pairing A pairing is a bilinear map e : G 1 G 2 G T P Q e(p, Q) Bilinear: e([a]p, [b]q) = e(p, Q) ab = e([b]p, [a]q) G 1 and G 2 are (prime) order r groups on an elliptic curve E/F q - also linearly independent G T is the order r multiplicative group of the extension field F q k All three discrete log problems need to be intractable r large, q k much larger again The embedding degree k Z plays a vital role in pairing-based cryptography 14 / 47

15 Pairing-friendly curves Definition: E is a pairing-friendly curve if... k is small (less than 50) the prime r dividing #E has ρ = log 2 q log 2 r 2 Balasubramanian-Koblitz 98: G 1, G 2 and G T defined over F q k iff r q k 1 r huge prime, q huge prime k huge in general k being small enough is extremely unlikely in general Moral of the story: pairing-friendly curves are very rare 15 / 47

16 Balancing security requires varied k Example - a Barreto-Naehrig k = 12 (ρ = 1, #E = r) curve: E/F q : y 2 = x q= r= Perfect for the 128-bit security level: r 256-bits, q bits. 16 / 47

17 The r-torsion: defining G 1 and G 2 The entire r-torsion E[r] is defined over F q k : E[r] = Z r Z r r + 1 cyclic subgroups of order r, e.g. r= Different types of pairings depending on available isomorphisms Most useful/common/applicable/efficient is Type 3 Type 3: G 1 = E[r] ker(π [1]) and G 2 = E[r] ker(π [q]) 17 / 47

18 What do P, Q and e(p, Q) look like? P comes from the base field subgroup G 1 = E[r] ker(π [1]) E(F q ), e.g. P = ( , ) The pairing e(p, Q) lies in F q k, e.g x x x x x x x x x x x Q comes from the trace zero subgroup G 2 = E[r] ker(π [q]) E(F q k ) - e.g. two coordinates of the above size 18 / 47

19 Using the twisted curve to represent G 2 Original curve is E(F q ) : y 2 = x 3 + ax + b Fortunately, we can employ the use of the twisted curve E (F q k/d ) : y 2 = x 3 + axω 4 + bω 6 of E(F q ) Isomorphism Ψ : E E; (x, y ) (x /ω 2, y /ω 3 ) Ψ 1 : E E ; (x, y) (xω 2, yω 3 ) Instead of working with Q G 2 = E(F q k ), we can work with Q G 2 = E (F q k/d ) Possible degrees of twists d = {2, 3, 4, 6} (the bigger the better) e.g. instead of working over F q 12, we can work over F q 2 using a d = 6 sextic twist x / 47

20 Summary so far To compute the pairing e(p, Q) of P and Q P is a point on E with coordinates in base field Q is a point on E with coordinates in extension field F q k use Q E (F q k/d )). (but e(p, Q) is a value in F q k Now, how do we actually compute the pairing? 20 / 47

21 The Weil and Tate pairings Weil pairing (in crypto): André Weil John Tate e(p, Q) = f r,p(q) f r,q (P) ; Tate pairing (in crypto): e(p, Q) = f r,p (Q) (qk 1)/r, where f r,p is a (unique) degree r function: coefficients dependent on P, evaluated at Q... e.g. r = impossible to compute/store explicitly for cryptographically useful instances! 21 / 47

22 Miller s algorithm Miller 1986: build the function f r,p by successively squaring (and multiply), but evaluate as you build / 47

23 Miller s algorithm for the Tate pairing f r,p (Q) (qk 1)/r r = (r l 1,..., r 1, r 0 ) 2 initialize: R = P, f = 1 1 for i = l 2 to 0 do //(Miller loop) a. i. Compute l DBL in the doubling of R ii. R [2]R iii. f f 2 l DBL(Q) b. if m i = 1 then i. Compute l ADD in the addition of R + P ii. R R + P iii. f f l ADD(Q) //(DBL) //(ADD) 2 f f (qk 1)/r. //(Final exponentiation) 23 / 47

24 Miller s algorithm for the Tate pairing f r,p (Q) (qk 1)/r r = (r l 1,..., r 1, r 0 ) 2 initialize: R = P, f = 1 1 for i = l 2 to 0 do //(Miller loop) a. i. Compute l DBL in the doubling of R ii. R [2]R iii. f f 2 l DBL(Q) b. if m i = 1 then i. Compute l ADD in the addition of R + P ii. R R + P iii. f f l ADD(Q) //(DBL) //(ADD) 2 f f (qk 1)/r. //(Final exponentiation) r= r=1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 1, 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 1, 0, 1, 1, 1, 1, 24 / 47

25 Miller s algorithm for the optimal ate pairing: π(q) = [q]q m = (m l 1,..., m 1, m 0 ) 2 initialize: R = Q, f = 1 1 for i = l 2 to 0 do //(Miller loop) a. i. Compute l DBL in the doubling of R ii. R [2]R iii. f f 2 l DBL(P) b. if m i = 1 then i. Compute l ADD in the addition of R + Q ii. R R + Q iii. f f l ADD(P) //(DBL) //(ADD) 2 f f (qk 1)/r. //(Final exponentiation) m= , i.e. m=(1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0) log 2 m log 2 r/ϕ(k) Hess Smart Vercauteren 25 / 47

26 Fast formulas Avoiding F q k arithmetic Subfamilies Our work 26 / 47

27 Fast formulas Avoiding F q k arithmetic Subfamilies Unify and optimise curve operations in Miller loop a. i. Compute l DBL in the doubling of R ii. R [2]R iii. f f 2 l DBL (P) b. if m i = 1 then i. Compute l ADD in the addition of R + Q ii. R R + Q iii. f f l ADD (P) //(DBL) //(ADD) 27 / 47

28 Fast formulas Avoiding F q k arithmetic Subfamilies Do everything on the twisted curve ate pairing computation involves moving back between E and E (different curves) problematic for deriving unified formulas for all steps Theorem (C-Lange-Naehrig-2010) Let E/F q : y 2 = x 3 + ax + b and let E /F q k/d : y 2 = x 3 + aω 4 x + bω 6, a degree-d twist of E. Let Ψ be the associated twist isomorphism Ψ : E E : (x, y ) (x /ω 2, y /ω 3 ). Let P G 1, Q G 2, and let Q = Ψ 1 (Q) and P = Ψ 1 (P). Let a T (Q, P) be the ate pairing of Q and P. Then a T (Q, P) gcd(d,6) = a T (Q, P ) gcd(d,6), where a T (Q, P ) = f T,Q (P ) (qk 1)/r uses the same loop parameter as a T (Q, P) on E, but takes the two twisted points Q and P as inputs, instead of Q and P. Corollary If a T (Q, P) is bilinear and non-degenerate, then so is a T (Q, P ). 28 / 47

29 Fast formulas Avoiding F q k arithmetic Subfamilies Weierstrass curves for fast pairings We found Weierstrass curves y 2 = x 3 + ax + b to perform fastest for pairings (geometric chord-and-tangent description so simple) Focussed on tailor-made formulas for curves with high-degree twists Different projective spaces perform fastest for different curves Z coordinate sweeps the denominators and avoids inversions 29 / 47

30 Fast formulas Avoiding F q k arithmetic Subfamilies Example: y 2 = x 3 + b Homogeneous projective coordinates are best: substitute x = X /Z and y = Y /Z to work on Y 2 Z = X 3 + bz 3 Compute (X 3 : Y 3 : Z 3 ) = [2](X 1 : Y 1 : Z 1 ) as X 3 = 2X 1 Y 1 (Y 2 1 9bZ 2 1 ), Y 3 = Y bY 2 1 Z b 2 Z 4 1, Z 3 = 8Y 3 1 Z 1. Compute the line function as l = 3X 2 1 x P 2Y 1 Z 1 y P + 3bZ 2 1 Y 2 1. A lot of magic goes into the above simplification (Gröbner basis reductions, etc) Exploit overlaps - altogether costs: 2m + 7s 30 / 47

31 Fast formulas Avoiding F q k arithmetic Subfamilies Comparisons with previous best formulas Curve DBL Prev. DBL Curve order Record ADD Record ADD Twist deg. madd madd y 2 = x 3 + ax C-Lange- 2m + 8s Ionica-Joux 1m + 11s - Naehrig 10 12m + 7s Arene et al. 10m + 6s d = 2, 4 W (1,2) 9m + 5s J 7m + 6s y 2 = x 3 + c 2 C-Hisil-Boyd- 3m + 5s Arene et al. 3m + 8s 3 #E Gonzalez Nieto-Wong 09 14m + 2s P 10m + 6s d = 2, 6 P 10m + 2s 7m + 6s y 2 = x 3 + b C-Lange- 2m + 7s Arene et al. 3m + 8s 3 #E Naehrig 10 14m + 2s J 10m + 6s d = 2, 6 P 10m + 2s 7m + 6s y 2 = x 3 + b C-Lange- 6m + 7s El Mrabet et al. 8m + 9s - Naehrig 10 16m + 3s P ADD/mADD d = 3 P 13m + 3s not reported 31 / 47

32 Fast formulas Avoiding F q k arithmetic Subfamilies Avoiding extension field arithmetic a. i. Compute l DBL in the doubling of R ii. R [2]R //(DBL) iii. f f 2 l DBL (Q) b. if m i = 1 then i. Compute l ADD in the addition of R + P ii. R R + P //(ADD) iii. f f l ADD (Q) F q k operations most costly in the Miller loop Our prior work saved operations that occur in F q k/d F q k C-Boyd-Gonzalez Nieto-Wong (two papers) looked at avoiding the arithmetic that hurts most... Return to Tate setting (for now): P F q is first argument 32 / 47

33 Fast formulas Avoiding F q k arithmetic Subfamilies Avoiding extension field arithmetic iterate through... i. f f 2 l DBL (Q) ii. if m i = 1 then f f l ADD (Q) The updates look like l : l x x Q + l y y Q + l 0 The l x, l y, l 0 F q, whilst x Q, y Q F q k Consider leaving l unevaluated, and operating on it before touching Q (a lot more operations in F q, but saves operations in F q k ) e.g. k = 12, F q k mul costs 54 F q muls e.g. merging two consecutive doublings: (l x x Q + l y y Q + l 0 ) 2 `l x x Q + l y y Q + l 0 = l 3,0 ˆ xq 3 + l 2,0 ˆ xq 2 + l 1,0 ˆ x Q + l 2,1 ˆ xq 2 y Q + l 1,2 ˆ x Q yq 2 + l 1,1 ˆ x Q y Q + l 0,3 ˆ xq 3 + l 0,2 ˆ xq 2 + l 0,1 ˆ x Q + l 0,0 ˆ actually turns out so much better l 2,0 x 2 Q + l 1,1 x Q y Q + l 1,0 x Q + l 0,1 y Q + l 0,0 33 / 47

34 Fast formulas Avoiding F q k arithmetic Subfamilies Quadruple-and-add on y 2 = x 3 + b Compute (X 3 : Y 3 : Z 3 ) = [4](X 1 : Y 1 : Z 1 ) on Y 2 Z = X 3 + bz 3 and the update function is... l 2,0 x 2 Q + l 1,1x Q y Q + l 1,0 x Q + l 0,1 y Q + l 0,0 l 2,0 = 6X1 2 Z 1(5Y bY1 2 Z1 2 27b 2 Z1 4 ); l 0,1 = 8X 1Y 1Z 1(5Y b 2 Z1 4 ); l 1,1 = 8Y 1Z1 2 (Y bY1 2 Z1 2 27b 2 Z1 4 ); l 0,0 = 2X 1(Y1 6 75bY1 4 Z b 2 Y1 2 Z1 4 81b 3 Z1 6 ); l 1,0 = 4Z 1(5Y1 6 75bZ1 2 Y Y1 2 b 2 Z1 4 81b 3 Z1 6 ). Quadrupling cost 14m + 16s in F q (vs. two doublings: 4m + 14s in F q ) We suffer an extra 10m + 2s in F q, but we save a much more costly F q k multiplication Speed ups for Tate, doesn t work for ate... however / 47

35 Fast formulas Avoiding F q k arithmetic Subfamilies Fixed argument pairings Very common scenario: in the pairing e(p, Q), one of the arguments is fixed as a long term secret key (or constant public param, etc) We can exploit this and perform precomputations C-Stebila 10 - merging iterations in this scenario is much more powerful (thanks to anonymous reviewer of previous work) 128-bit optimal pairing 256-bit optimal pairing k = 12 BN curve k = 24 BLS curve F q = 254 bits F q = 639 bits precomp Miller loop storage Miller loop storage method cost required (bits) cost required (bits) none 6469 m m 1 - Scott m 1 70, m 1 340,000 quadrupling 4446 m 1 75, m 1 368,000 octupling 4053 m 1 100, m 1 510, / 47

36 Fast formulas Avoiding F q k arithmetic Subfamilies Fixed argument pairings - applications # fixed # fixed pairings arguments pairings arguments Public key encryption Encryption Decryption Boyen-Mei-Waters nd ID-based encryption Encryption Decryption Boneh-Franklin nd 1 1 st Boneh-Boyen nd Waters both in 2 nd Attribute-based encr. Encryption Decryption GPSW 06 0 #attr. all in 1 st LOSTW #attr. all in 2 nd ID-based signatures Signing Verification Waters in 2 nd ID-based key exchange Initiator Responder Smart in 1 st, 1 in 2 nd 2 1 in 1 st, 1 in 2 nd Chen-Kudla st 1 2 nd McCullagh-Barreto nd 1 2 nd Table: A few of the protocols that can employ/enjoy our precomputation technique. 36 / 47

37 Fast formulas Avoiding F q k arithmetic Subfamilies Towered extension field arithmetic Koblitz-Menezes 05: for k = 2 i 3 j, build extension field as a sequence of quadratic and cubic subextensions (preferably binomials) Karatsuba-like tricks make arithmetic much faster easier to implement twisted subfields constructed inherently e.g. a k = 12 tower Instead of F q 12 multiplications costing 144 F q multiplications, they cost = 54 F q multiplications Finding a nice tower is not always possible 37 / 47

38 Fast formulas Avoiding F q k arithmetic Subfamilies Parameterised families of pairing-friendly curves All of the best constructions of pairing-friendly curves come from parameterised families Implementors now able to gather suitable curves in bulk Barreto Lynn Scott e.g. Barreto-Lynn-Scott (among many other contributions) gave curves with k = 24: q(x) = (x 1) 2 (x 8 x 4 + 1)/3 + x; n(x) = (x 1) 2 (x 8 x 4 + 1)/3; r(x) = x 8 x 4 + 1; when q = q(x), r = r(x) are prime, guaranteed a curve E/F q : y 2 = x 3 + b with r n = #E. 38 / 47

39 Fast formulas Avoiding F q k arithmetic Subfamilies Example: searching for BLS curves q(x) = (x 1) 2 (x 8 x 4 + 1)/3 + x; r(x) = x 8 x Kick-start with x = 2 64 = (targeting 256-bit security): x 1 mod 3, x x + 3 soon enough x = q = soon after x = q = moral: thousands/millions/billions... of possible curves to choose from / 47

40 Fast formulas Avoiding F q k arithmetic Subfamilies Attractive subfamilies of BLS curves for high-security Theorem (C-Lauter-Naehrig 11) Instead of x 1 mod 3, take x 0 p(x 0 ) n(x 0 ) efficient curve correct mod 72 mod 72 mod 72 tower E twist E y 2 = x y 2 = x 3 ± 1/v y 2 = x y 2 = x 3 ± 4v y 2 = x y 2 = x 3 ± v y 2 = x 3 2 y 2 = x 3 ± 2/v 40 / 47

41 Fast formulas Avoiding F q k arithmetic Subfamilies Particularly friendly members of family trees Most recent work took this subfamilies idea further Thoroughly explored the other 8 families of interest: BW k = 8, BLS k = 12, KSS k = 16, KSS k = 18, BLS k = 27, KSS k = 32, KSS k = 36, BLS k = 48 Two (quartic/sextic) twist types: type M and type D (type D previously preferred - untwisting isomorphism)... but CLN 10 Theorem remedies this!: there is no preference Also give compact generators for many of the favoured subfamilies 41 / 47

42 Fast formulas Avoiding F q k arithmetic Subfamilies x ±5 mod 14 {5, 9} + 14i (112) a? a 1 T 1 T? a 2 T 1 a 2 T 1 19, 33, 51, 65, 75, 107 {19, 33, 51, 65, 75, 107} +112j (1680) M D , 89 {9, 89} +112j (560) T 3 T? M D D M T 2 a 3 T 3 M M D T? T 2 D a 5 T 3 M T? Figure: Example: The k = 16 KSS family tree. a? / 47

43 Fast formulas Avoiding F q k arithmetic Subfamilies Picking fruits from the trees rating equiv. class for x tower a twist G 1 gen. G 2 gen. % (x = x/5) type [h](, ) [h ](, ) 61, 93 mod 112 T 1 1 M - v 1, p (v 1) 3 + v(v 1) , 37 mod 112 T 1 1 D - v, p v q 47, 79 mod 112 T 1 2 D - 2/v, 8 v v , 103 mod 112 T 1 2 M `1, q {19,..., 1531} 16 mod 1680 T 2 3 M (1, 2) 3/v, 27 v v , 1633 mod 1680 T 2 5 D 2, Table: Our favourite picks from the k = 16 KSS tree. Implementors can use our trees to tailor-make searches that target specific parameter combinations/preferences... or choose from our extensive list (low hamming-weight examples) e.g. x = ( ) corresponds to 47 mod 112, gives q(x) and r(x) as prime, so KSS curve is y 2 = x 3 + x, tower is T 1, correct twist is type D. 43 / 47

44 Summary 44 / 47

45 Summary Chapter 3: C-Hisil-Boyd-Gonzalez Nieto-Wong 09 and C-Lange-Naehrig 10: fastest explicit formulas for pairing arithmetic across all elliptic curve models Chapter 4: C-Boyd-Gonzalez Nieto-Wong 10 (parts I and II): merging Miller iterations to give faster Tate pairing in some scenarios, particularly larger embedding degrees Chapter 5: C-Stebila 10: applies merging technique to fixed argument scenario for significant improvement in the Miller loop for state-of-the-art pairings Chapter 6: C-Lauter-Naehrig 11: attractive subfamilies of BLS curves for high-security pairings Chapter 7: C 12: attractive subfamilies for all other families covering all possible security levels Chapter 8: C-Lauter 11: new algorithm for arbitrary genus hyperelliptic curve arithmetic, records for genus 2 hyperelliptic curves. 45 / 47

46 Future work Next 3-4 months: still fast pairing-based cryptography fixed arguments on hyperelliptic curves fixed argument Weil pairing faster non-pairing operations attacking pairings Next few years: lattice-based cryptography? efficient fully homomorphic encryption: the holy grail Rest of life: curves/abelian varieties/arithmetic geometry/computational number theory 46 / 47

47 Questions? Recommended questions include what s the cost of a pairing compared to [insert related operation] tell us about your [insert kind adjective] work on arbitrary genus arithmetic tell us more about the magic involved in deriving the faster formulas in Chapters 3 and 4 why didn t your high-security pairings timings break the software speed record at the 256-bit level? show us a pairing in Magma / 47