Fast Formulas for Computing Cryptographic Pairings
|
|
- Annis Booth
- 5 years ago
- Views:
Transcription
1 Fast Formulas for Computing Cryptographic Pairings Craig Costello Queensland University of Technology May 28, / 47
2 Thanks: supervisors and co-authors Prof. Colin Boyd Dr. Juanma Gonzalez Nieto Dr. Kenneth Koon-Ho Wong Prof. Alice Silverberg (UC-Irvine) Prof. Kristin Lauter (Microsoft Research/UC-San Diego) A. Prof. Huseyin Hisil Dr. Douglas Stebila Prof. Tanja Lange Dr. Michael Naehrig (QUT/Ismir Yasar) (QUT) (T.U. Eindhoven) (T.U. Eindhoven/Microsoft) 2 / 47
3 Motivation Pairings Our work Summary Thanks: funding and institutes 3 / 47
4 Associated Publications **C. Costello, H. Hisil, C. Boyd, J. M. Gonzlez Nieto, and K. K. Wong. Faster pairings on special Weierstrass curves. Pairing Stanford, USA., T. Lange, and M. Naehrig. Faster pairing computations on curves with high-degree twists. Public Key Cryptography Paris, France., C. Boyd, J. M. Gonzlez Nieto, and K. K. Wong. Avoiding full extension field arithmetic in pairing computations. AFRICACRYPT Stellenbosch, South Africa., C. Boyd, J. M. Gonzlez Nieto, and K. K. Wong. Delaying mismatched field multiplications in pairing computations. WAIFI Istanbul, Turkey. **, and D. Stebila. Fixed argument pairings. LATINCRYPT Puebla, Mexico., K. Lauter and M. Naehrig. Attractive subfamilies of BLS curves for implementing high-security pairings. INDOCRYPT Chennai, India., and K. Lauter. Group law computations on Jacobians of hyperelliptic curves. Selected Areas in Cryptography Ontario, Canada.. Particularly friendly members of family trees. In submission. ** significant improvements in thesis 4 / 47
5 1 Motivation 2 Pairings 3 Our work Fast explicit formulas Avoiding F q k arithmetic and fixed argument pairings Attractive subfamilies of pairing-friendly curves 4 Summary 5 / 47
6 Private-key vs. Public-key cryptography BC - WWII: Caesar Mary, Queen of Scots German Enigma Code must communicate beforehand 1970 s: Diffie-Hellman-Merkle Rivest-Shamir-Adleman (RSA) Cocks HUGE BREAKTHROUGH: no need for prior communication!!! 6 / 47
7 Diffie-Hellman (Merkle): a toy example Public values: q = (prime), g = (generator of Z q). Secret values: Alice s secret: a= Bob s secret: b= Alice computes (public key): Bob computes (public key): g a mod q = g b mod q = Bob can compute: Alice can compute: a = = b = g ab Secret keys safe as long as discrete log problem (DLP) is hard Joint secret safe as long as Diffie-Hellman problem is hard 7 / 47
8 Modulus (key) sizes: then and now 1970 s: q = (200-bit prime) NOW: q = (1024-bit prime) 8 / 47
9 Elliptic curves cryptography (ECC) mid 1980 s: Neal Koblitz Victor Miller Use elliptic curve (more abstract) groups instead! y 2 = x 3 + ax + b Subexponential attacks on standard groups don t apply. q = (1024-bit prime) vs. q = (160-bit prime) 9 / 47
10 The elliptic curve group law : chord-and-tangent rule sub l : y = λx + ν into y 2 = x 3 + ax + b (Affine addition) (Affine doubling) λ = y Q y P x Q x P ; ν = y P λx P ; (x P, y P ) (x Q, y Q ) = `λ 2 x P x Q, (λx R + ν). λ = 3x2 P + a 2y P ; ν = y P λx P ; [2](x P, y P ) = (x P, y P ) (x P, y P ) = `λ 2 2x P, (λx R + ν). 10 / 47
11 The pairing explosion Pairings are an extremely powerful primitive that exist on elliptic curves (more generally abelian varieties) Boneh - Franklin They have been used in the past decade to construct many new protocols / solve many cryptographic problems: - Identity-based encryption (IBE), predicate/attribute-based encryption (ABE), hierarchical encryption (HIBE) - group/short/ring signatures - (partially) homomorphic encryption - many many more / 47
12 The need for speed... First implementation [Menezes 1993]: a few minutes hundreds of papers on faster pairing computation Current record-holding implementation [Aranha et al. 2010]: less than a millisecond 12 / 47
13 Pairings / 47
14 What s a pairing A pairing is a bilinear map e : G 1 G 2 G T P Q e(p, Q) Bilinear: e([a]p, [b]q) = e(p, Q) ab = e([b]p, [a]q) G 1 and G 2 are (prime) order r groups on an elliptic curve E/F q - also linearly independent G T is the order r multiplicative group of the extension field F q k All three discrete log problems need to be intractable r large, q k much larger again The embedding degree k Z plays a vital role in pairing-based cryptography 14 / 47
15 Pairing-friendly curves Definition: E is a pairing-friendly curve if... k is small (less than 50) the prime r dividing #E has ρ = log 2 q log 2 r 2 Balasubramanian-Koblitz 98: G 1, G 2 and G T defined over F q k iff r q k 1 r huge prime, q huge prime k huge in general k being small enough is extremely unlikely in general Moral of the story: pairing-friendly curves are very rare 15 / 47
16 Balancing security requires varied k Example - a Barreto-Naehrig k = 12 (ρ = 1, #E = r) curve: E/F q : y 2 = x q= r= Perfect for the 128-bit security level: r 256-bits, q bits. 16 / 47
17 The r-torsion: defining G 1 and G 2 The entire r-torsion E[r] is defined over F q k : E[r] = Z r Z r r + 1 cyclic subgroups of order r, e.g. r= Different types of pairings depending on available isomorphisms Most useful/common/applicable/efficient is Type 3 Type 3: G 1 = E[r] ker(π [1]) and G 2 = E[r] ker(π [q]) 17 / 47
18 What do P, Q and e(p, Q) look like? P comes from the base field subgroup G 1 = E[r] ker(π [1]) E(F q ), e.g. P = ( , ) The pairing e(p, Q) lies in F q k, e.g x x x x x x x x x x x Q comes from the trace zero subgroup G 2 = E[r] ker(π [q]) E(F q k ) - e.g. two coordinates of the above size 18 / 47
19 Using the twisted curve to represent G 2 Original curve is E(F q ) : y 2 = x 3 + ax + b Fortunately, we can employ the use of the twisted curve E (F q k/d ) : y 2 = x 3 + axω 4 + bω 6 of E(F q ) Isomorphism Ψ : E E; (x, y ) (x /ω 2, y /ω 3 ) Ψ 1 : E E ; (x, y) (xω 2, yω 3 ) Instead of working with Q G 2 = E(F q k ), we can work with Q G 2 = E (F q k/d ) Possible degrees of twists d = {2, 3, 4, 6} (the bigger the better) e.g. instead of working over F q 12, we can work over F q 2 using a d = 6 sextic twist x / 47
20 Summary so far To compute the pairing e(p, Q) of P and Q P is a point on E with coordinates in base field Q is a point on E with coordinates in extension field F q k use Q E (F q k/d )). (but e(p, Q) is a value in F q k Now, how do we actually compute the pairing? 20 / 47
21 The Weil and Tate pairings Weil pairing (in crypto): André Weil John Tate e(p, Q) = f r,p(q) f r,q (P) ; Tate pairing (in crypto): e(p, Q) = f r,p (Q) (qk 1)/r, where f r,p is a (unique) degree r function: coefficients dependent on P, evaluated at Q... e.g. r = impossible to compute/store explicitly for cryptographically useful instances! 21 / 47
22 Miller s algorithm Miller 1986: build the function f r,p by successively squaring (and multiply), but evaluate as you build / 47
23 Miller s algorithm for the Tate pairing f r,p (Q) (qk 1)/r r = (r l 1,..., r 1, r 0 ) 2 initialize: R = P, f = 1 1 for i = l 2 to 0 do //(Miller loop) a. i. Compute l DBL in the doubling of R ii. R [2]R iii. f f 2 l DBL(Q) b. if m i = 1 then i. Compute l ADD in the addition of R + P ii. R R + P iii. f f l ADD(Q) //(DBL) //(ADD) 2 f f (qk 1)/r. //(Final exponentiation) 23 / 47
24 Miller s algorithm for the Tate pairing f r,p (Q) (qk 1)/r r = (r l 1,..., r 1, r 0 ) 2 initialize: R = P, f = 1 1 for i = l 2 to 0 do //(Miller loop) a. i. Compute l DBL in the doubling of R ii. R [2]R iii. f f 2 l DBL(Q) b. if m i = 1 then i. Compute l ADD in the addition of R + P ii. R R + P iii. f f l ADD(Q) //(DBL) //(ADD) 2 f f (qk 1)/r. //(Final exponentiation) r= r=1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 1, 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 1, 0, 1, 1, 1, 1, 24 / 47
25 Miller s algorithm for the optimal ate pairing: π(q) = [q]q m = (m l 1,..., m 1, m 0 ) 2 initialize: R = Q, f = 1 1 for i = l 2 to 0 do //(Miller loop) a. i. Compute l DBL in the doubling of R ii. R [2]R iii. f f 2 l DBL(P) b. if m i = 1 then i. Compute l ADD in the addition of R + Q ii. R R + Q iii. f f l ADD(P) //(DBL) //(ADD) 2 f f (qk 1)/r. //(Final exponentiation) m= , i.e. m=(1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0) log 2 m log 2 r/ϕ(k) Hess Smart Vercauteren 25 / 47
26 Fast formulas Avoiding F q k arithmetic Subfamilies Our work 26 / 47
27 Fast formulas Avoiding F q k arithmetic Subfamilies Unify and optimise curve operations in Miller loop a. i. Compute l DBL in the doubling of R ii. R [2]R iii. f f 2 l DBL (P) b. if m i = 1 then i. Compute l ADD in the addition of R + Q ii. R R + Q iii. f f l ADD (P) //(DBL) //(ADD) 27 / 47
28 Fast formulas Avoiding F q k arithmetic Subfamilies Do everything on the twisted curve ate pairing computation involves moving back between E and E (different curves) problematic for deriving unified formulas for all steps Theorem (C-Lange-Naehrig-2010) Let E/F q : y 2 = x 3 + ax + b and let E /F q k/d : y 2 = x 3 + aω 4 x + bω 6, a degree-d twist of E. Let Ψ be the associated twist isomorphism Ψ : E E : (x, y ) (x /ω 2, y /ω 3 ). Let P G 1, Q G 2, and let Q = Ψ 1 (Q) and P = Ψ 1 (P). Let a T (Q, P) be the ate pairing of Q and P. Then a T (Q, P) gcd(d,6) = a T (Q, P ) gcd(d,6), where a T (Q, P ) = f T,Q (P ) (qk 1)/r uses the same loop parameter as a T (Q, P) on E, but takes the two twisted points Q and P as inputs, instead of Q and P. Corollary If a T (Q, P) is bilinear and non-degenerate, then so is a T (Q, P ). 28 / 47
29 Fast formulas Avoiding F q k arithmetic Subfamilies Weierstrass curves for fast pairings We found Weierstrass curves y 2 = x 3 + ax + b to perform fastest for pairings (geometric chord-and-tangent description so simple) Focussed on tailor-made formulas for curves with high-degree twists Different projective spaces perform fastest for different curves Z coordinate sweeps the denominators and avoids inversions 29 / 47
30 Fast formulas Avoiding F q k arithmetic Subfamilies Example: y 2 = x 3 + b Homogeneous projective coordinates are best: substitute x = X /Z and y = Y /Z to work on Y 2 Z = X 3 + bz 3 Compute (X 3 : Y 3 : Z 3 ) = [2](X 1 : Y 1 : Z 1 ) as X 3 = 2X 1 Y 1 (Y 2 1 9bZ 2 1 ), Y 3 = Y bY 2 1 Z b 2 Z 4 1, Z 3 = 8Y 3 1 Z 1. Compute the line function as l = 3X 2 1 x P 2Y 1 Z 1 y P + 3bZ 2 1 Y 2 1. A lot of magic goes into the above simplification (Gröbner basis reductions, etc) Exploit overlaps - altogether costs: 2m + 7s 30 / 47
31 Fast formulas Avoiding F q k arithmetic Subfamilies Comparisons with previous best formulas Curve DBL Prev. DBL Curve order Record ADD Record ADD Twist deg. madd madd y 2 = x 3 + ax C-Lange- 2m + 8s Ionica-Joux 1m + 11s - Naehrig 10 12m + 7s Arene et al. 10m + 6s d = 2, 4 W (1,2) 9m + 5s J 7m + 6s y 2 = x 3 + c 2 C-Hisil-Boyd- 3m + 5s Arene et al. 3m + 8s 3 #E Gonzalez Nieto-Wong 09 14m + 2s P 10m + 6s d = 2, 6 P 10m + 2s 7m + 6s y 2 = x 3 + b C-Lange- 2m + 7s Arene et al. 3m + 8s 3 #E Naehrig 10 14m + 2s J 10m + 6s d = 2, 6 P 10m + 2s 7m + 6s y 2 = x 3 + b C-Lange- 6m + 7s El Mrabet et al. 8m + 9s - Naehrig 10 16m + 3s P ADD/mADD d = 3 P 13m + 3s not reported 31 / 47
32 Fast formulas Avoiding F q k arithmetic Subfamilies Avoiding extension field arithmetic a. i. Compute l DBL in the doubling of R ii. R [2]R //(DBL) iii. f f 2 l DBL (Q) b. if m i = 1 then i. Compute l ADD in the addition of R + P ii. R R + P //(ADD) iii. f f l ADD (Q) F q k operations most costly in the Miller loop Our prior work saved operations that occur in F q k/d F q k C-Boyd-Gonzalez Nieto-Wong (two papers) looked at avoiding the arithmetic that hurts most... Return to Tate setting (for now): P F q is first argument 32 / 47
33 Fast formulas Avoiding F q k arithmetic Subfamilies Avoiding extension field arithmetic iterate through... i. f f 2 l DBL (Q) ii. if m i = 1 then f f l ADD (Q) The updates look like l : l x x Q + l y y Q + l 0 The l x, l y, l 0 F q, whilst x Q, y Q F q k Consider leaving l unevaluated, and operating on it before touching Q (a lot more operations in F q, but saves operations in F q k ) e.g. k = 12, F q k mul costs 54 F q muls e.g. merging two consecutive doublings: (l x x Q + l y y Q + l 0 ) 2 `l x x Q + l y y Q + l 0 = l 3,0 ˆ xq 3 + l 2,0 ˆ xq 2 + l 1,0 ˆ x Q + l 2,1 ˆ xq 2 y Q + l 1,2 ˆ x Q yq 2 + l 1,1 ˆ x Q y Q + l 0,3 ˆ xq 3 + l 0,2 ˆ xq 2 + l 0,1 ˆ x Q + l 0,0 ˆ actually turns out so much better l 2,0 x 2 Q + l 1,1 x Q y Q + l 1,0 x Q + l 0,1 y Q + l 0,0 33 / 47
34 Fast formulas Avoiding F q k arithmetic Subfamilies Quadruple-and-add on y 2 = x 3 + b Compute (X 3 : Y 3 : Z 3 ) = [4](X 1 : Y 1 : Z 1 ) on Y 2 Z = X 3 + bz 3 and the update function is... l 2,0 x 2 Q + l 1,1x Q y Q + l 1,0 x Q + l 0,1 y Q + l 0,0 l 2,0 = 6X1 2 Z 1(5Y bY1 2 Z1 2 27b 2 Z1 4 ); l 0,1 = 8X 1Y 1Z 1(5Y b 2 Z1 4 ); l 1,1 = 8Y 1Z1 2 (Y bY1 2 Z1 2 27b 2 Z1 4 ); l 0,0 = 2X 1(Y1 6 75bY1 4 Z b 2 Y1 2 Z1 4 81b 3 Z1 6 ); l 1,0 = 4Z 1(5Y1 6 75bZ1 2 Y Y1 2 b 2 Z1 4 81b 3 Z1 6 ). Quadrupling cost 14m + 16s in F q (vs. two doublings: 4m + 14s in F q ) We suffer an extra 10m + 2s in F q, but we save a much more costly F q k multiplication Speed ups for Tate, doesn t work for ate... however / 47
35 Fast formulas Avoiding F q k arithmetic Subfamilies Fixed argument pairings Very common scenario: in the pairing e(p, Q), one of the arguments is fixed as a long term secret key (or constant public param, etc) We can exploit this and perform precomputations C-Stebila 10 - merging iterations in this scenario is much more powerful (thanks to anonymous reviewer of previous work) 128-bit optimal pairing 256-bit optimal pairing k = 12 BN curve k = 24 BLS curve F q = 254 bits F q = 639 bits precomp Miller loop storage Miller loop storage method cost required (bits) cost required (bits) none 6469 m m 1 - Scott m 1 70, m 1 340,000 quadrupling 4446 m 1 75, m 1 368,000 octupling 4053 m 1 100, m 1 510, / 47
36 Fast formulas Avoiding F q k arithmetic Subfamilies Fixed argument pairings - applications # fixed # fixed pairings arguments pairings arguments Public key encryption Encryption Decryption Boyen-Mei-Waters nd ID-based encryption Encryption Decryption Boneh-Franklin nd 1 1 st Boneh-Boyen nd Waters both in 2 nd Attribute-based encr. Encryption Decryption GPSW 06 0 #attr. all in 1 st LOSTW #attr. all in 2 nd ID-based signatures Signing Verification Waters in 2 nd ID-based key exchange Initiator Responder Smart in 1 st, 1 in 2 nd 2 1 in 1 st, 1 in 2 nd Chen-Kudla st 1 2 nd McCullagh-Barreto nd 1 2 nd Table: A few of the protocols that can employ/enjoy our precomputation technique. 36 / 47
37 Fast formulas Avoiding F q k arithmetic Subfamilies Towered extension field arithmetic Koblitz-Menezes 05: for k = 2 i 3 j, build extension field as a sequence of quadratic and cubic subextensions (preferably binomials) Karatsuba-like tricks make arithmetic much faster easier to implement twisted subfields constructed inherently e.g. a k = 12 tower Instead of F q 12 multiplications costing 144 F q multiplications, they cost = 54 F q multiplications Finding a nice tower is not always possible 37 / 47
38 Fast formulas Avoiding F q k arithmetic Subfamilies Parameterised families of pairing-friendly curves All of the best constructions of pairing-friendly curves come from parameterised families Implementors now able to gather suitable curves in bulk Barreto Lynn Scott e.g. Barreto-Lynn-Scott (among many other contributions) gave curves with k = 24: q(x) = (x 1) 2 (x 8 x 4 + 1)/3 + x; n(x) = (x 1) 2 (x 8 x 4 + 1)/3; r(x) = x 8 x 4 + 1; when q = q(x), r = r(x) are prime, guaranteed a curve E/F q : y 2 = x 3 + b with r n = #E. 38 / 47
39 Fast formulas Avoiding F q k arithmetic Subfamilies Example: searching for BLS curves q(x) = (x 1) 2 (x 8 x 4 + 1)/3 + x; r(x) = x 8 x Kick-start with x = 2 64 = (targeting 256-bit security): x 1 mod 3, x x + 3 soon enough x = q = soon after x = q = moral: thousands/millions/billions... of possible curves to choose from / 47
40 Fast formulas Avoiding F q k arithmetic Subfamilies Attractive subfamilies of BLS curves for high-security Theorem (C-Lauter-Naehrig 11) Instead of x 1 mod 3, take x 0 p(x 0 ) n(x 0 ) efficient curve correct mod 72 mod 72 mod 72 tower E twist E y 2 = x y 2 = x 3 ± 1/v y 2 = x y 2 = x 3 ± 4v y 2 = x y 2 = x 3 ± v y 2 = x 3 2 y 2 = x 3 ± 2/v 40 / 47
41 Fast formulas Avoiding F q k arithmetic Subfamilies Particularly friendly members of family trees Most recent work took this subfamilies idea further Thoroughly explored the other 8 families of interest: BW k = 8, BLS k = 12, KSS k = 16, KSS k = 18, BLS k = 27, KSS k = 32, KSS k = 36, BLS k = 48 Two (quartic/sextic) twist types: type M and type D (type D previously preferred - untwisting isomorphism)... but CLN 10 Theorem remedies this!: there is no preference Also give compact generators for many of the favoured subfamilies 41 / 47
42 Fast formulas Avoiding F q k arithmetic Subfamilies x ±5 mod 14 {5, 9} + 14i (112) a? a 1 T 1 T? a 2 T 1 a 2 T 1 19, 33, 51, 65, 75, 107 {19, 33, 51, 65, 75, 107} +112j (1680) M D , 89 {9, 89} +112j (560) T 3 T? M D D M T 2 a 3 T 3 M M D T? T 2 D a 5 T 3 M T? Figure: Example: The k = 16 KSS family tree. a? / 47
43 Fast formulas Avoiding F q k arithmetic Subfamilies Picking fruits from the trees rating equiv. class for x tower a twist G 1 gen. G 2 gen. % (x = x/5) type [h](, ) [h ](, ) 61, 93 mod 112 T 1 1 M - v 1, p (v 1) 3 + v(v 1) , 37 mod 112 T 1 1 D - v, p v q 47, 79 mod 112 T 1 2 D - 2/v, 8 v v , 103 mod 112 T 1 2 M `1, q {19,..., 1531} 16 mod 1680 T 2 3 M (1, 2) 3/v, 27 v v , 1633 mod 1680 T 2 5 D 2, Table: Our favourite picks from the k = 16 KSS tree. Implementors can use our trees to tailor-make searches that target specific parameter combinations/preferences... or choose from our extensive list (low hamming-weight examples) e.g. x = ( ) corresponds to 47 mod 112, gives q(x) and r(x) as prime, so KSS curve is y 2 = x 3 + x, tower is T 1, correct twist is type D. 43 / 47
44 Summary 44 / 47
45 Summary Chapter 3: C-Hisil-Boyd-Gonzalez Nieto-Wong 09 and C-Lange-Naehrig 10: fastest explicit formulas for pairing arithmetic across all elliptic curve models Chapter 4: C-Boyd-Gonzalez Nieto-Wong 10 (parts I and II): merging Miller iterations to give faster Tate pairing in some scenarios, particularly larger embedding degrees Chapter 5: C-Stebila 10: applies merging technique to fixed argument scenario for significant improvement in the Miller loop for state-of-the-art pairings Chapter 6: C-Lauter-Naehrig 11: attractive subfamilies of BLS curves for high-security pairings Chapter 7: C 12: attractive subfamilies for all other families covering all possible security levels Chapter 8: C-Lauter 11: new algorithm for arbitrary genus hyperelliptic curve arithmetic, records for genus 2 hyperelliptic curves. 45 / 47
46 Future work Next 3-4 months: still fast pairing-based cryptography fixed arguments on hyperelliptic curves fixed argument Weil pairing faster non-pairing operations attacking pairings Next few years: lattice-based cryptography? efficient fully homomorphic encryption: the holy grail Rest of life: curves/abelian varieties/arithmetic geometry/computational number theory 46 / 47
47 Questions? Recommended questions include what s the cost of a pairing compared to [insert related operation] tell us about your [insert kind adjective] work on arbitrary genus arithmetic tell us more about the magic involved in deriving the faster formulas in Chapters 3 and 4 why didn t your high-security pairings timings break the software speed record at the 256-bit level? show us a pairing in Magma / 47
Fixed Argument Pairings
craig.costello@qut.edu.au Queensland University of Technology LatinCrypt 2010 Puebla, Mexico Joint work with Douglas Stebila Pairings A mapping e : G 1 G 2 G T : P G 1, Q G 2 and e(p, Q) G T : groups are
More informationFaster Pairings on Special Weierstrass Curves
craig.costello@qut.edu.au Queensland University of Technology Pairing 2009 Joint work with Huseyin Hisil, Colin Boyd, Juanma Gonzalez-Nieto, Kenneth Koon-Ho Wong Table of contents 1 Introduction The evolution
More informationPairings for Cryptography
Pairings for Cryptography Michael Naehrig Technische Universiteit Eindhoven Ñ ÐÖÝÔØÓ ºÓÖ Nijmegen, 11 December 2009 Pairings A pairing is a bilinear, non-degenerate map e : G 1 G 2 G 3, where (G 1, +),
More informationAnalysis of Optimum Pairing Products at High Security Levels
Analysis of Optimum Pairing Products at High Security Levels Xusheng Zhang and Dongdai Lin Institute of Software, Chinese Academy of Sciences Institute of Information Engineering, Chinese Academy of Sciences
More informationAn Introduction to Pairings in Cryptography
An Introduction to Pairings in Cryptography Craig Costello Information Security Institute Queensland University of Technology INN652 - Advanced Cryptology, October 2009 Outline 1 Introduction to Pairings
More informationPairings at High Security Levels
Pairings at High Security Levels Michael Naehrig Eindhoven University of Technology michael@cryptojedi.org DoE CRYPTODOC Darmstadt, 21 November 2011 Pairings are efficient!... even at high security levels.
More informationSpeeding up Ate Pairing Computation in Affine Coordinates
Speeding up Ate Pairing Computation in Affine Coordinates Duc-Phong Le and Chik How Tan Temasek Laboratories, National University of Singapore, 5A Engineering Drive 1, #09-02, Singapore 11711. (tslld,tsltch)@nus.edu.sg
More informationAspects of Pairing Inversion
Applications of Aspects of ECC 2007 - Dublin Aspects of Applications of Applications of Aspects of Applications of Pairings Let G 1, G 2, G T be groups of prime order r. A pairing is a non-degenerate bilinear
More informationEfficient Implementation of Cryptographic pairings. Mike Scott Dublin City University
Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things Efficient algorithms Suitable elliptic curves We have got
More informationOptimal TNFS-secure pairings on elliptic curves with even embedding degree
Optimal TNFS-secure pairings on elliptic curves with even embedding degree Georgios Fotiadis 1 and Chloe Martindale 2 1 University of the Aegean, Greece gfotiadis@aegean.gr 2 Technische Universiteit Eindhoven,
More informationKatherine Stange. ECC 2007, Dublin, Ireland
in in Department of Brown University http://www.math.brown.edu/~stange/ in ECC Computation of ECC 2007, Dublin, Ireland Outline in in ECC Computation of in ECC Computation of in Definition A integer sequence
More informationEfficient Implementation of Cryptographic pairings. Mike Scott Dublin City University
Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things l Efficient algorithms l Suitable elliptic curves We have
More informationAn Analysis of Affine Coordinates for Pairing Computation
An Analysis of Affine Coordinates for Pairing Computation Kristin Lauter, Peter L. Montgomery, and Michael Naehrig Microsoft Research, One Microsoft Way, Redmond, WA 98052, USA {klauter, petmon, mnaehrig}@microsoft.com
More informationConstructing Pairing-Friendly Elliptic Curves for Cryptography
Constructing Pairing-Friendly Elliptic Curves for Cryptography University of California, Berkeley, USA 2nd KIAS-KMS Summer Workshop on Cryptography Seoul, Korea 30 June 2007 Outline 1 Pairings in Cryptography
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationFaster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves
Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves Junfeng Fan, Frederik Vercauteren and Ingrid Verbauwhede Katholieke Universiteit Leuven, COSIC May 18, 2009 1 Outline What is
More informationOptimised versions of the Ate and Twisted Ate Pairings
Optimised versions of the Ate and Twisted Ate Pairings Seiichi Matsuda 1, Naoki Kanayama 1, Florian Hess 2, and Eiji Okamoto 1 1 University of Tsukuba, Japan 2 Technische Universität Berlin, Germany Abstract.
More informationImplementing the Weil, Tate and Ate pairings using Sage software
Sage days 10, Nancy, France Implementing the Weil, Tate and Ate pairings using Sage software Nadia EL MRABET LIRMM, I3M, Université Montpellier 2 Saturday 11 th October 2008 Outline of the presentation
More informationTampering attacks in pairing-based cryptography. Johannes Blömer University of Paderborn September 22, 2014
Tampering attacks in pairing-based cryptography Johannes Blömer University of Paderborn September 22, 2014 1 / 16 Pairings Definition 1 A pairing is a bilinear, non-degenerate, and efficiently computable
More informationAn Analysis of Affine Coordinates for Pairing Computation
An Analysis of Affine Coordinates for Pairing Computation Michael Naehrig Microsoft Research mnaehrig@microsoft.com joint work with Kristin Lauter and Peter Montgomery Microsoft Research Pairing 2010,
More informationOptimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves
CT-RSA 2012 February 29th, 2012 Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves Joint work with: Nicolas Estibals CARAMEL project-team, LORIA, Université de Lorraine / CNRS / INRIA,
More informationKatherine Stange. Pairing, Tokyo, Japan, 2007
via via Department of Mathematics Brown University http://www.math.brown.edu/~stange/ Pairing, Tokyo, Japan, 2007 Outline via Definition of an elliptic net via Definition (KS) Let R be an integral domain,
More informationA Dierential Power Analysis attack against the Miller's Algorithm
A Dierential Power Analysis attack against the Miller's Algorithm Nadia El Mrabet (1), G. Di Natale (2) and M.L. Flottes (2) (1) Team Arith, (2) Team CCSI/LIRMM, Université Montpellier 2 Prime 2009, UCC,
More informationarxiv: v3 [cs.cr] 5 Aug 2014
Further Refinements of Miller Algorithm on Edwards curves Duc-Phong Le, Chik How Tan Temasek Laboratories, National University of Singapore 5A Engineering Drive 1, #09-02, Singapore 117411. arxiv:1305.2694v3
More informationSelecting Elliptic Curves for Cryptography Real World Issues
Selecting Elliptic Curves for Cryptography Real World Issues Michael Naehrig Cryptography Research Group Microsoft Research UW Number Theory Seminar Seattle, 28 April 2015 Elliptic Curve Cryptography 1985:
More informationBackground of Pairings
Background of Pairings Tanja Lange Department of Mathematics and Computer Science Technische Universiteit Eindhoven The Netherlands tanja@hyperelliptic.org 04.09.2007 Tanja Lange Background of Pairings
More informationA brief overwiev of pairings
Bordeaux November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview pairings 0 / 37 Plan of the lecture Pairings Pairing-friendly curves Progress of NFS attacks
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationConstructing Abelian Varieties for Pairing-Based Cryptography
for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers
More informationAte Pairing on Hyperelliptic Curves
Ate Pairing on Hyperelliptic Curves R. Granger, F. Hess, R. Oyono, N. Thériault F. Vercauteren EUROCRYPT 2007 - Barcelona Pairings Pairings Let G 1, G 2, G T be groups of prime order l. A pairing is a
More informationFast hashing to G2 on pairing friendly curves
Fast hashing to G2 on pairing friendly curves Michael Scott, Naomi Benger, Manuel Charlemagne, Luis J. Dominguez Perez, and Ezekiel J. Kachisa School of Computing Dublin City University Ballymun, Dublin
More informationAsymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)
Asymmetric Pairings Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp) 1 Overview In their 2006 paper "Pairings for cryptographers", Galbraith, Paterson and Smart identified three
More informationUnbalancing Pairing-Based Key Exchange Protocols
Unbalancing Pairing-Based Key Exchange Protocols Michael Scott Certivox Labs mike.scott@certivox.com Abstract. In many pairing-based protocols more than one party is involved, and some or all of them may
More informationPairing Computation on Elliptic Curves of Jacobi Quartic Form
Pairing Computation on Elliptic Curves of Jacobi Quartic Form Hong Wang, Kunpeng Wang, Lijun Zhang, and Bao Li {hwang,kpwang,ljzhang,lb}@is.ac.cn State Key Laboratory of Information Security Graduate University
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationImplementing Pairing-Based Cryptosystems
Implementing Pairing-Based Cryptosystems Zhaohui Cheng and Manos Nistazakis School of Computing Science, Middlesex University White Hart Lane, London N17 8HR, UK. {m.z.cheng, e.nistazakis}@mdx.ac.uk Abstract:
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationElliptic Curve Cryptography
The State of the Art of Elliptic Curve Cryptography Ernst Kani Department of Mathematics and Statistics Queen s University Kingston, Ontario Elliptic Curve Cryptography 1 Outline 1. ECC: Advantages and
More informationA Variant of Miller s Formula and Algorithm
A Variant of Miller s Formula and Algorithm John Boxall 1, Nadia El Mrabet 2, Fabien Laguillaumie 3, and Duc-Phong Le 4 1 LMNO Université de Caen Basse-Normandie, France john.boxall@unicaen.fr 2 LIASD
More informationConstructing Tower Extensions of Finite Fields for Implementation of Pairing-Based Cryptography
Constructing Tower Extensions of Finite Fields for Implementation of Pairing-Based Cryptography Naomi Benger and Michael Scott, 1 School of Computing, Dublin City University, Ireland nbenger@computing.dcu.ie
More informationSM9 identity-based cryptographic algorithms Part 1: General
SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...
More informationPairings for Cryptographers
Pairings for Cryptographers Craig Costello t-craigc@microsoft.com talk based on disjoint work (not mine) by: Steven Galbraith, Kenny Paterson, Nigel Smart August 15, 2012 1 /22 Pairing groups A pairing
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More informationEfficient Pairings Computation on Jacobi Quartic Elliptic Curves
Efficient Pairings Computation on Jacobi Quartic Elliptic Curves Sylvain Duquesne 1, Nadia El Mrabet 2, and Emmanuel Fouotsa 3 1 IRMAR, UMR CNRS 6625, Université Rennes 1, Campus de Beaulieu 35042 Rennes
More informationPairing-Friendly Elliptic Curves of Prime Order
Pairing-Friendly Elliptic Curves of Prime Order Paulo S. L. M. Barreto 1 Michael Naehrig 2 1 University of São Paulo pbarreto@larc.usp.br 2 RWTH Aachen University mnaehrig@ti.rwth-aachen.de SAC 2005 Outline
More informationSubgroup security in pairing-based cryptography
Subgroup security in pairing-based cryptography Paulo S. L. M. Barreto 1, Craig Costello 2, Rafael Misoczki 1, Michael Naehrig 2, Geovandro C. C. F. Pereira 1, and Gustavo Zanon 1 1 Escola Politécnica,
More informationPairing-Based Cryptography An Introduction
ECRYPT Summer School Samos 1 Pairing-Based Cryptography An Introduction Kenny Paterson kenny.paterson@rhul.ac.uk May 4th 2007 ECRYPT Summer School Samos 2 The Pairings Explosion Pairings originally used
More informationPairing computation on Edwards curves with high-degree twists
Pairing computation on Edwards curves with high-degree twists Liangze Li 1, Hongfeng Wu 2, Fan Zhang 1 1 LMAM, School of Mathematical Sciences, Peking University, Beijing 100871, China 2 College of Sciences,
More informationA gentle introduction to elliptic curve cryptography
A gentle introduction to elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 5, 2017 Šibenik, Croatia Part 1: Motivation Part 2: Elliptic Curves Part 3: Elliptic
More informationEfficient Tate Pairing Computation Using Double-Base Chains
Efficient Tate Pairing Computation Using Double-Base Chains Chang an Zhao, Fangguo Zhang and Jiwu Huang 1 Department of Electronics and Communication Engineering, Sun Yat-Sen University, Guangzhou 510275,
More information2.2. The Weil Pairing on Elliptic Curves If A and B are r-torsion points on some elliptic curve E(F q d ), let us denote the r-weil pairing of A and B
Weil Pairing vs. Tate Pairing in IBE systems Ezra Brown, Eric Errthum, David Fu October 10, 2003 1. Introduction Although Boneh and Franklin use the Weil pairing on elliptic curves to create Identity-
More informationFaster Computation of the Tate Pairing
Faster Computation of the Tate Pairing Christophe Arène a, Tanja Lange,b, Michael Naehrig b,c, Christophe Ritzenthaler a a Institut de Mathématiques de Luminy 163, avenue de Luminy, Case 907 13288 Marseille
More informationFast, twist-secure elliptic curve cryptography from Q-curves
Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16,
More informationSharing a Secret in Plain Sight. Gregory Quenell
Sharing a Secret in Plain Sight Gregory Quenell 1 The Setting: Alice and Bob want to have a private conversation using email or texting. Alice Bob 2 The Setting: Alice and Bob want to have a private conversation
More informationParshuram Budhathoki FAU October 25, Ph.D. Preliminary Exam, Department of Mathematics, FAU
Parshuram Budhathoki FAU October 25, 2012 Motivation Diffie-Hellman Key exchange What is pairing? Divisors Tate pairings Miller s algorithm for Tate pairing Optimization Alice, Bob and Charlie want to
More informationYou could have invented Supersingular Isogeny Diffie-Hellman
You could have invented Supersingular Isogeny Diffie-Hellman Lorenz Panny Technische Universiteit Eindhoven Πλατανιάς, Κρήτη, 11 October 2017 1 / 22 Shor s algorithm 94 Shor s algorithm quantumly breaks
More informationEdwards coordinates for elliptic curves, part 1
Edwards coordinates for elliptic curves, part 1 Tanja Lange Technische Universiteit Eindhoven tanja@hyperelliptic.org joint work with Daniel J. Bernstein 19.10.2007 Tanja Lange http://www.hyperelliptic.org/tanja/newelliptic/
More informationMontgomery Algorithm for Modular Multiplication with Systolic Architecture
Montgomery Algorithm for Modular Multiplication with ystolic Architecture MRABET Amine LIAD Paris 8 ENIT-TUNI EL MANAR University A - MP - Gardanne PAE 016 1 Plan 1 Introduction for pairing Montgomery
More informationABHELSINKI UNIVERSITY OF TECHNOLOGY
Identity-Based Cryptography T-79.5502 Advanced Course in Cryptology Billy Brumley billy.brumley at hut.fi Helsinki University of Technology Identity-Based Cryptography 1/24 Outline Classical ID-Based Crypto;
More informationSome Efficient Algorithms for the Final Exponentiation of η T Pairing
Some Efficient Algorithms for the Final Exponentiation of η T Pairing Masaaki Shirase 1, Tsuyoshi Takagi 1, and Eiji Okamoto 2 1 Future University-Hakodate, Japan 2 University of Tsukuba, Japan Abstract.
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols nichols@math.umass.edu University of Massachusetts Oct. 14, 2015 Cryptography basics Cryptography is the study of secure communications. Here are
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationThe Eta Pairing Revisited
1 The Eta Pairing Revisited F. Hess, N.P. Smart and F. Vercauteren Abstract In this paper we simplify and extend the Eta pairing, originally discovered in the setting of supersingular curves by Baretto
More informationOn near prime-order elliptic curves with small embedding degrees (Full version)
On near prime-order elliptic curves with small embedding degrees (Full version) Duc-Phong Le 1, Nadia El Mrabet 2, and Chik How Tan 1 1 Temasek Laboratories, National University of Singapore {tslld,tsltch}@nus.edu.sg
More informationThe Elliptic Curve in https
The Elliptic Curve in https Marco Streng Universiteit Leiden 25 November 2014 Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 1 The s in https:// HyperText Transfer Protocol
More informationCryptography from Pairings
DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 1 Cryptography from Pairings Kenny Paterson kenny.paterson@rhul.ac.uk May 31st 2007 DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 2 The Pairings Explosion
More informationFast Cryptography in Genus 2
Fast Cryptography in Genus 2 Joppe W. Bos, Craig Costello, Huseyin Hisil and Kristin Lauter EUROCRYPT 2013 Athens, Greece May 27, 2013 Fast Cryptography in Genus 2 Recall that curves are much better than
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationEfficient Computation of Tate Pairing in Projective Coordinate Over General Characteristic Fields
Efficient Computation of Tate Pairing in Projective Coordinate Over General Characteristic Fields Sanjit Chatterjee, Palash Sarkar and Rana Barua Cryptology Research Group Applied Statistics Unit Indian
More informationConstructing Families of Pairing-Friendly Elliptic Curves
Constructing Families of Pairing-Friendly Elliptic Curves David Freeman Information Theory Research HP Laboratories Palo Alto HPL-2005-155 August 24, 2005* cryptography, pairings, elliptic curves, embedding
More informationWhat About Vulnerability to a Fault Attack of the Miller s Algorithm during an Identity Based Protocol?
What About Vulnerability to a Fault Attack of the Miller s Algorithm during an Identity Based Protocol? Nadia EL MRABET LIRMM Laboratory, I3M, CNRS, University Montpellier 2, 161, rue Ada, 34 392 Montpellier,
More informationEfficient hash maps to G 2 on BLS curves
Efficient hash maps to G 2 on BLS curves Alessandro Budroni 1 and Federico Pintore 2 1 MIRACL Labs, London, England - budroni.alessandro@gmail.com 2 Department of Mathematics, University of Trento, Italy
More informationPairing-Friendly Twisted Hessian Curves
Pairing-Friendly Twisted Hessian Curves Chitchanok Chuengsatiansup 1 and Chloe Martindale 2 1 INRIA and ENS de Lyon 46 Allée d Italie 69364 Lyon Cedex 07, France chitchanok.chuengsatiansup@ens-lyon.fr
More informationReprésentation RNS des nombres et calcul de couplages
Représentation RNS des nombres et calcul de couplages Sylvain Duquesne Université Rennes 1 Séminaire CCIS Grenoble, 7 Février 2013 Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 1 / 29
More informationConstructing genus 2 curves over finite fields
Constructing genus 2 curves over finite fields Kirsten Eisenträger The Pennsylvania State University Fq12, Saratoga Springs July 15, 2015 1 / 34 Curves and cryptography RSA: most widely used public key
More informationGenerating more MNT elliptic curves
Generating more MNT elliptic curves Michael Scott 1 and Paulo S. L. M. Barreto 2 1 School of Computer Applications Dublin City University Ballymun, Dublin 9, Ireland. mike@computing.dcu.ie 2 Universidade
More informationduring transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL
THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission (e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit
More informationOn the complexity of computing discrete logarithms in the field F
On the complexity of computing discrete logarithms in the field F 3 6 509 Francisco Rodríguez-Henríquez CINVESTAV-IPN Joint work with: Gora Adj Alfred Menezes Thomaz Oliveira CINVESTAV-IPN University of
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationOn Near Prime-Order Elliptic Curves with Small Embedding Degrees
On Near Prime-Order Elliptic Curves with Small Embedding Degrees Duc-Phong Le, Nadia El Mrabet, Tan Chik How To cite this version: Duc-Phong Le, Nadia El Mrabet, Tan Chik How. On Near Prime-Order Elliptic
More informationImplementing Cryptographic Pairings over Barreto-Naehrig Curves
Implementing Cryptographic Pairings over Barreto-Naehrig Curves Augusto Jun Devegili 1, Michael Scott 2, and Ricardo Dahab 1 1 Instituto de Computação, Universidade Estadual de Campinas Caixa Postal 6176,
More informationThe Eta Pairing Revisited
The Eta Pairing Revisited F. Hess 1, N. Smart 2, and Frederik Vercauteren 3 1 Technische Universität Berlin, Fakultät II, Institut für Mathematik, MA 8-1, Strasse des 17. Juni 136, D-10623 Berlin, Germany.
More informationFaster Squaring in the Cyclotomic Subgroup of Sixth Degree Extensions
Faster Squaring in the Cyclotomic Subgroup of Sixth Degree Extensions Robert Granger and Michael Scott School of Computing, Dublin City University, Glasnevin, Dublin 9, Ireland. {rgranger,mike}@computing.dcu.ie
More informationArithmetic operators for pairing-based cryptography
7. Kryptotag November 9 th, 2007 Arithmetic operators for pairing-based cryptography Jérémie Detrey Cosec, B-IT, Bonn, Germany jdetrey@bit.uni-bonn.de Joint work with: Jean-Luc Beuchat Nicolas Brisebarre
More informationPolynomial Interpolation in the Elliptic Curve Cryptosystem
Journal of Mathematics and Statistics 7 (4): 326-331, 2011 ISSN 1549-3644 2011 Science Publications Polynomial Interpolation in the Elliptic Curve Cryptosystem Liew Khang Jie and Hailiza Kamarulhaili School
More informationFast arithmetic and pairing evaluation on genus 2 curves
Fast arithmetic and pairing evaluation on genus 2 curves David Freeman University of California, Berkeley dfreeman@math.berkeley.edu November 6, 2005 Abstract We present two algorithms for fast arithmetic
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationFINDING COMPOSITE ORDER ORDINARY ELLIPTIC CURVES USING THE COCKS-PINCH METHOD
FINDING COMPOSITE ORDER ORDINARY ELLIPTIC CURVES USING THE COCKS-PINCH METHOD D. BONEH, K. RUBIN, AND A. SILVERBERG Abstract. We apply the Cocks-Pinch method to obtain pairing-friendly composite order
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationEfficient Computation for Pairing Based
Provisional chapter Chapter 3 Efficient Computation for Pairing Based Cryptography: Efficient Computation A Statefor ofpairing the Art Based Cryptography: A State of the Art Nadia El Mrabet Nadia El Mrabet
More informationA Remark on Implementing the Weil Pairing
A Remark on Implementing the Weil Pairing Cheol Min Park 1, Myung Hwan Kim 1 and Moti Yung 2 1 ISaC and Department of Mathematical Sciences, Seoul National University, Korea {mpcm,mhkim}@math.snu.ac.kr
More informationExponentiating in Pairing Groups
Exponentiating in Pairing Groups Joppe W. Bos, Craig Costello, and Michael Naehrig Microsoft Research, USA Abstract. We study exponentiations in pairing groups for the most common security levels and show
More informationHigh-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition
High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition Joppe W. Bos 1, Craig Costello 1, Huseyin Hisil 2, and Kristin Lauter 1 1 Microsoft Research, Redmond, USA 2 Yasar University,
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationDefinition of a finite group
Elliptic curves Definition of a finite group (G, * ) is a finite group if: 1. G is a finite set. 2. For each a and b in G, also a * b is in G. 3. There is an e in G such that for all a in G, a * e= e *
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationAn introduction to supersingular isogeny-based cryptography
An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 Šibenik, Croatia Towards quantum-resistant cryptosystems from supersingular
More informationPairings on Generalized Huff Curves
Pairings on Generalized Huff Curves Abdoul Aziz Ciss and Djiby Sow Laboratoire d Algèbre, Codage, Cryptologie, Algèbre et Applications Université Cheikh Anta Diop de Dakar, Sénégal BP: 5005, Dakar Fann
More information