Attractive Subfamilies of BLS Curves for Implementing High-Security Pairings
|
|
- Olivia Potter
- 6 years ago
- Views:
Transcription
1 Attractive Subfamilies of BLS Curves for Implementing High-Security Pairings Craig Costello,2, Kristin Lauter 2, and Michael Naehrig 2,3 Information Security Institute Queensland University of Technology, GPO Box 2434, Brisbane QLD 400, Australia 2 Microsoft Research One Microsoft Way, Redmond, WA 98052, USA 3 Department of Mathematics and Computer Science Technische Universiteit Eindhoven, P.O. Box 53, 5600 MB Eindhoven, Netherlands Abstract. Barreto-Lynn-Scott (BLS) curves are a stand-out candidate for implementing high-security pairings. This paper shos that particular choices of the pairing-friendly search parameter give rise to four subfamilies of BLS curves, all of hich offer highly efficient and implementationfriendly pairing instantiations. Curves from these particular subfamilies are defined over prime fields that support very efficient toering options for the full extension field. The coefficients for a specific curve and its correct tist are automatically determined ithout any computational effort. The choice of an extremely sparse search parameter is immediately reflected by a highly efficient optimal ate Miller loop and final exponentiation. As a resource for implementors, e give a list ith examples of implementation-friendly BLS curves through several high-security levels. Keyords: Pairing-friendly, high-security pairings, BLS curves. Introduction Current public-key security recommendations have influenced a concentrated effort from the pairing-based community toards optimiing the implementation of pairings on Barreto-Naehrig (BN) curves [4]. Indeed, aside from an array of many other attractive properties (see [20, 23] for more details), BN curves are perfectly suited to the security level of 28 bits (cf. [2], [32], and [2,.]), since they achieve an optimal balance beteen the necessary sies of the three groups involved in the pairing e : G G 2 G T. The BN pairing speed record of 0 million cycles set by Hankerson et al. in 2008 [4] stood until mid 200, hen Acknoledges funding from the Australian-American Fulbright Commission, the Queensland Government Smart State PhD Scholarship, and an Australian Postgraduate Aard.
2 three papers appeared in rapid succession [22, 7, ], each one shaving more time off the previous record and pushing the limit of efficiency at this security level. This ork as pinnacled by Aranha et al. [], ho applied a combination of improvements to accelerate the entire pairing computation to less than 2 million cycles. As implementors seemingly converge toards a satisfaction asymptote at the 28-bit security level, the focus is no beginning to shift to optimiing pairings at higher security levels. As Scott details [25], scaling security in pairing-based cryptography is fundamentally different than doing so in traditional public-key protocols that only require one group definition. Whilst increasing the security of other number theoretic protocols usually requires an increase in the sie of the modulus, an optimied scaling in the context of pairing-based cryptography can be achieved by increasing the embedding degree. Utiliing the flexibility of a higher embedding degree allos an implementor to inflate the sie of the finite field target group G T at a greater rate than the corresponding inflation in the elliptic curve groups G and G 2, paying respect to the faster subexponential attacks that must be resisted in G T. Stepping up to a significantly higher security level therefore calls for a different family of pairing-friendly elliptic curves altogether, and although many of the previous optimiations (e.g. for BN curves) can be immediately or easily transferred to computing pairings on the ne curves, there are naturally ne issues that arise hen advancing toards a thorough optimiation. This ork focuses on pairings that employ the Barreto-Lynn-Scott (BLS) family ith k = 24 [3] (see also [2, 6.6]). The BLS family has already been identified as the prime candidate for 256-bit secure pairings by Scott [27], ho no holds the current softare speed record at this level. The aim of this paper is to provide some of the finer details that ill begin to pave the ay for implementors ho may ish to further accelerate the state-of-the-art timings on BLS curves. The bulk of our discussion is motivated by Pereira et al. s ork in the case of BN curves [23], here they detail a very simple method of generating highly optimal instantiations of implementation-friendly BN curves. With the same intent, e point out four highly attractive subfamilies of BLS curves that facilitate very efficient instantiations of high-security pairings. The proposed curves are found by restricting the search parameter x in the polynomial representation to any one of four specific congruency classes, namely x 0 7, 6, 3, 64 (mod 72). These choices result in prime fields of characteristic p 9 (mod 24), hich in turn leads to three very efficient toering options for the full extension field F p 24. We sho that all curves found in any of the proposed subfamilies can immediately be given by the same short Weierstraß equation over F p, and the unique sextic tist E of correct order for use in the ate pairing setting is automatically determined. Not only is there no computational effort necessary to rite don the curve equations once the prime p is found, both E and E can be represented very compactly by the polynomial parameter x 0 alone. We give some details on line function computation and discuss an efficient version of the hard part in the final exponentiation. As a resource for implementors,
3 e give elaborate lists of example curves covering a range of high-security levels beteen 92- and 320-bit security, including the dedicated BLS security level of 256 bits. We have chosen the examples ith a very sparse parameter x hich leads to a lo number of addition steps in the Miller loop and simultaneously very efficient exponentiations by x, hich are needed in the final exponentiation. The remainder of this paper is organied as follos. Section 2 gives a brief background on the BLS family for embedding degree k = 24 and on computing optimal pairings on BLS curves. Section 3 describes the proposed implementationfriendly subfamilies of BLS curves, hilst Section 4 details some choices that can facilitate more simple pairing code. In Section 5 e apply the ork of Scott et al. [29] to give details on the final exponentiation routine. Lists of example curves at several security levels are presented in Section 6. Finally, Appendix A provides timing results of a C implementation of the optimal ate pairing on BLS curves. 2 Background The BLS family ith embedding degree 24. In [3], Barreto, Lynn and Scott propose polynomial parametriations for certain complete pairing-friendly curve families for specific fixed embedding degrees. All curves belonging to one of these so-called cyclotomic families have CM discriminant D = 3 (i.e. j-invariant j = 0) and can be given by a short Weierstraß equation E : y 2 = x 3 + b. For embedding degree k = 24, the Barreto-Lynn-Scott (BLS) family is given by the folloing parametriation (see also [2, Construction 6.6]): p(x) = (x ) 2 (x 8 x 4 + )/3 + x, r(x) = x 8 x 4 +, n(x) = (x ) 2 (x 8 x 4 + )/3, t(x) = x +, f(x) = (x )(2x 4 )/3. () Finding a specific BLS curve is achieved by running through integer values x 0 (mod 3) until p(x 0 ) and r(x 0 ) are both prime (note that x 0 (mod 3) leads to all involved parameters being integers). For each set of parameters, there exists an elliptic curve E over F p such that #E(F p ) = n(x 0 ). The correct curve E can be found by trying different values for b (i.e. different tists) and checking for the right group order. Another alternative is to compute the coefficient by the algorithm described in [24]. Since r(x 0 ) n(x 0 ), there is a subgroup of E(F p ) of prime order r(x 0 ). The CM discriminant is D = 3 because 4p(x 0 ) t(x 0 ) 2 = 3f(x 0 ) 2. The family has a ρ-value of ρ = deg(p)/ deg(r) =.25. BLS curves achieve the smallest ρ-value for k = 24 (see [2, Section 8]); they have tists of degree 6 and allo for many optimiations hen computing pairings, similar to Barreto-Naehrig (BN) curves. A particularly nice property is that the ate pairing [5] already provides an optimal pairing [33]. The number of iterations in Miller s algorithm to compute the ate pairing is log(t(x 0 ) ) = log(x 0 ) log(r(x 0 ))/ϕ(k) = log(r(x 0 ))/8. According to key sie recommendations in [2], [32], and [2, Section ], BLS curves are a good choice for pairings at the high-security 256-bit level. Indeed,
4 Scott [27] recently demonstrated an efficient implementation of pairings on BLS curves at that level. An optimal ate pairing. We no briefly recall the ate pairing on BLS curves and the arithmetic that is involved in its computation. Let E/F p be a BLS curve ith parameters constructed as above given an integer x 0 (mod 3), i.e. p = p(x 0 ), r = r(x 0 ) and so forth. Then there exists a unique tist E /F p 4 ith r #E (F p 4) ith tisting isomorphism ψ : E E over F p 4. Let us define the usual groups G = E(F p )[r] and G 2 = ker(φ p [p]) E(F p 24)[r] as the - and p-eigenspaces of the Frobenius endomorphism φ p on E[r]. Let the group G 2 = ψ (G 2 ) be the preimage of G 2 under ψ. Let T = t. As outlined in [9], e can either compute the original ate pairing a T : G 2 G F p 24, (Q, P ) f T,ψ(Q )(P ) p24 r, by untisting Q for the computation of f T,ψ(Q ); or e can compute a T : G 2 G F p 24, (Q, P ) f T,Q (ψ (P )) p24 r, i.e. compute entirely on the tist by tisting P to E. A function f T,R (S) for points R, S on E or E as above is computed ith Miller s algorithm [9]. It involves curve arithmetic in G 2, i.e. doubling and addition of points on the curve E over the field F p 4 and the computation of line functions from points in G 2 evaluated at a point in G or its preimage under ψ. The computations in F p 4 for point doubling and addition and for obtaining the corresponding line function coefficients share partial results and are thus usually optimied together. Depending on the context in hich the pairing is used and the computing platform, one needs to choose beteen affine and different variants of projective coordinates to find the best formulas for these operations. The function f T,R (S) is built up by accumulating the line function values. This requires efficient squaring and multiplication-by-line-function operations in the full extension field F p 24. The final exponentiation on elements in F p has a 24 fixed exponent and it is possible to use specialied more efficient squaring operations as ell as other optimiations [3, 7, ]. Full extension field arithmetic needs to be particularly efficient as pairing efficiency strongly depends on it. It is therefore important to ork ith a ell-chosen extension field toer [6]. 3 Particularly friendly subfamilies In this section e sho that specialiing the congruency classes of the curvefinding search parameter gives rise to four subfamilies of k = 24 BLS curves that are highly efficient in terms of all operations required in a pairing computation. Specifically, e sho that rather than searching ith x 0 (mod 3), searching ith any of x 0 7, 6, 3, 64 (mod 72) guarantees that the curves found offer (among other things) the folloing advantages.
5 The curve constant b is immediately determined (see Proposition 3 belo). This saves performing expensive computations that test different values of b and the corresponding group order until the correct tist is found; or the checks for quadratic and cubic residuosity and root computations for the algorithm in [24]. Highly efficient field toer options are available (see Proposition 2 belo). This facilitates very efficient field arithmetic in the full extension field (and all intermediate subfields). The correct tist is immediately determined (see Proposition 4 belo). Among other savings, having an automated and general representation for the correct tist saves group arithmetic on curves over the quartic extension field F p 4 in the generation phase. Also, the representations of the tists are alays simple and facilitate nice back-and-forth isomorphisms beteen E and E. In addition to the above efficiency benefits, generating curves ith identical or consistent parameters also offers the advantage of code reusability across different instantiations and security levels. This allos an implementor the flexibility of scaling parameter sies to better match a neighboring security level ithout changing any of the pairing code. Furthermore, having fixed coefficients for the curve and its tist leads to a very compact ay of representing the curve data. Note that in this setting, the knoledge of the generating parameter x 0 uniquely determines all information about both curves. What only remains is to give generators for the groups G and G 2, except for the case of x 0 64 (mod 72) for hich a compact generator in G is alays available as [h](3, 5) ith high probability, here h is the cofactor, i.e. [h] maps elements of E(F p ) into G. x 0 p(x 0) n(x 0) efficient E E (mod 72) (mod 72) (mod 72) toer (eq. ()) (eq. ()) (Prop. 2) (Prop. 3) (Prop. 4) y 2 = x 3 + y 2 = x 3 ± /v y 2 = x y 2 = x 3 ± 4v y 2 = x 3 + y 2 = x 3 ± v y 2 = x 3 2 y 2 = x 3 ± 2/v Table. Four attractive subfamilies of BLS curves We split the rest of this section into to subsections. The first subsection is dedicated to proving the claims in Table and shoing that taking x 0 7, 6, 3, 64 (mod 72) ill alays give rise to highly efficient BLS instantiations. The intention of the second subsection is to detail hy x 0 7, 6, 3, 64 (mod 72) reign supreme over the other possible congruence classes.
6 3. Using the four classes x 0 7, 6, 3, 64 (mod 72) We start ith a lemma that is instrumental in some of the proofs that follo. For a prime p, let QR(p) denote the set of quadratic residues modulo p. Lemma. Let x 0 Z be any of x 0 7, 6, 3, 64 (mod 72), and let p = p(x 0 ) ith p given by () be a prime. Then 2 is neither a quadratic nor a cubic residue modulo p. Proof. A simple calculation shos that for x 0 7, 6, 64 (mod 72), e have p(x 0 ) 9 (mod 72). For x 0 3 (mod 72), e have p(x 0 ) 43 (mod 72). In both cases, it is easy to deduce that 2 QR(p). It remains to sho that 2 is not a cube modulo p for each of the x 0 values. For all four cases, e use [6, Prop ], hich states that for p (mod 3), 2 is a cubic residue modulo p if and only if there exist integers C, D such that p = C D 2. According to [6, Prop ], for p (mod 3) there alays exist integers A and B such that 4p = A 2 +27B 2 and A, B are unique up to sign. Thus, if A and B in this unique representation are both even, 2 is a cube modulo p, otherise it is not. In each of the four cases x 0 7, 6, 3, 64 (mod 72), e examine A and B in terms of the polynomials from (). The CM norm equation for the BLS family is 4p = t 2 + 3f 2, here f = (x 0 )/3 (2x 4 0 ), see (). For x 0 64 (mod 72), e have f(x 0 ) 0 (mod 3) hich allos us to rite 4p(x 0 ) = t(x 0 ) (f(x 0 )/3) 2, so A = t(x 0 ) = x (mod 72) and B = f(x 0 )/3 = (x 0 )/9 (2x 4 0 ) 25 (mod 72) are both odd, meaning that for x 0 64 (mod 72), 2 is not a cubic residue modulo p(x 0 ). For the other three cases x 0 7, 6, 3 (mod 72), it is easy to sho that f(x 0 ) 0 (mod 3), so the CM equation does not directly yield A and B. The to cases x 0 7, 6 (mod 72) can be handled by considering a transformation of the CM norm as ( ) 2 ( ) 2 3f + t t f 4p = For x 0 7 (mod 72), t(x 0 ), f(x 0 ) 2 (mod 6), so that both A = (3f + t)/2 and B = (t f)/6 are integers. Furthermore, f(x 0 ) 2 mod 4 and t(x 0 ) 0 (mod 4) reveal that 3f + t 2 (mod 4) so that A is odd, from hich it follos that 2 is not a cubic residue modulo p(x 0 ) for x 0 7 (mod 72). For x 0 6 (mod 72), e have t(x 0 ), f(x 0 ) (mod 2) and t(x 0 ), f(x 0 ) 2 (mod 3). Furthermore, since t(x 0 ) (mod 4) and f(x 0 ) 3 (mod 4), again e conclude that 3f + t 2 (mod 4), meaning that A = (t 3f)/2 is odd and 2 is not a cube modulo p(x 0 ) for x 0 6 (mod 72). Finally, for x 0 3 (mod 72), e require a slightly different transformation of the CM equation as ( ) 2 ( ) 2 t 3f t + f 4p = In this case t(x 0 ) 2 (mod 6) and f(x 0 ) 4 (mod 6) so that A = (t 3f)/2 and B = (t+f)/6 are integers. Since t(x 0 ) 0 (mod 4) and f(x 0 ) 2 (mod 4),
7 it follos that A (mod 4) is odd and 2 is not cube modulo p(x 0 ) for x 0 3 (mod 72). The ideal ay to form a quadratic extension field arises hen p 3 (mod 4) hich allos us to take F p 2 = F p (u), u 2 + = 0. Operations in F p [u]/(u 2 + ) are cheaper than operations in F p [u]/(u 2 α) for any other non-residue α F p, since multiplication by α ± costs additions in F p (or see [0]). Since e have p 9 (mod 24) in all four cases, e alays have p 3 (mod 4). For the extension from F p 2 to F p 4 = F p 2(v), the ideal irreducible binomial in terms of simplicity ould be v 2 + u. Unfortunately the folloing proposition shos that if e form F p 2 as above, then this binomial cannot be used to define F p 4 (and this statement is true for any quartic extension fields, hether in the context of pairings or not). Proposition. If p 3 (mod 4), and F p 2 is constructed as F p (u), u 2 + = 0, then the polynomial x 2 + su ith s F p is reducible over F p 2. In particular, F p 4 cannot be constructed over F p 2 using a binomial of the above form. Proof. Since / QR(p), precisely one of s/2 or s/2 is a quadratic residue modulo p. In the first case, rite x 2 + su = x 2 + 2a 2 u = (x + au a)(x au + a) for s = 2a 2, a F p. In the second case, taking s = 2a 2 for some a F p gives x 2 + su = x 2 2a 2 u = (x + au + a)(x au a). Thus, x 2 + su ith s F p is reducible over F p 2. Nevertheless, a binomial that is almost as attractive in terms of efficiency is v 2 + (u + ), since multiplications by u + in F p 2 also come almost for free. The folloing proposition shos that the proposed subfamilies of BLS curves alays allo F p 4 to be constructed using this binomial. Furthermore, e also sho that the rest of the toer up to F p 24 can be constructed in three different ays; all three of hich employ optimal binomials, but may be preferred by implementors depending on various factors, such as the nature of previous pairing code, or hether compression is desired. Proposition 2. Let x 0 Z be any of x 0 7, 6, 3, 64 (mod 72). If p = p(x 0 ) given by the polynomial in () is prime, then the extension field F p 24 can be constructed using any of the folloing toering options T, T 2, T 3 : F p u 2 + F p 2 F 3 + p 8 F p 24; T, 2 +v v 2 +u+ F 6 +v p 4 F p 24; T 2, 3 +v F p 2 F p 24; T
8 Proof. For all four congruency classes x 0 7, 6, 3, 64 (mod 72), e have p(x 0 ) 9 (mod 24), so that p 3 (mod 4) and e can use F p 2 = F p (u) = F p [u]/(u 2 +). For the remaining irreducibility arguments, e make use of a theorem due to Benger and Scott [6, Thm. 4]. We immediately note that 2, 3 p. Let us compute N Fp 2 /F p ( (u + )) = N Fp 2 /F p ( )N Fp 2 /F p (u + ) = (u + ) p+ = (u + ) p (u + ) = ( u)(u + ) = 2. Since 2 is not a quadratic residue modulo p, Theorem 4 of [6] ensures that v 2 + u + is irreducible in F p 2[v] and e can construct F p 4 = F p 2[v]/(v 2 + u + ). Next, e compute N Fp 4 /F p ( v) = N Fp 4 /F p ( )N Fp 4 /F p (v) = N Fp 4 /F p (v) = v +p+p2 +p 3 = (v +p2 ) +p = (( (u + )) +p2 ) (+p)/2 = ((u + ) 2 ) (+p)/2 = (u + ) p+ = 2. Lemma tells us that 2 is neither a quadratic nor a cubic residue modulo p, and thus it follos from [6, Thm. 4] that 2 + v, 3 + v and 6 + v are all irreducible over F p 4, giving rise to the toer T 2, to T up to F p 8 and T 3 up to F p 2. For the remaining parts of T and T 3, e similarly compute N Fp 2 /F p ( ) = 2 (+p4 +p 8 )/3 and N Fp 8 /F p ( ) = 2 (+p4)/2. Since p (mod 6) for all cases, it follos that ( + p 4 + p 8 )/3 is odd and so N Fp 2 /F p ( ) is not a square in F p since 2 is not a square by Lemma. Similarly, (p 4 + )/2 (mod 3) and so N Fp 8 /F p ( ) is not a cube in F p. Therefore, [6, Thm. 4] ensures irreducibility of the remaining polynomials and completes the proof. We have no shon that once a BLS prime p is found using x 0 7, 6, 3, 64 (mod 72), a highly efficient toer is immediately available. The folloing to propositions sho that the curve constant and tisted curve are also immediate in all four cases. Proposition 3. If x 0 7, 3 (mod 72) in () produces a prime p = p(x 0 ), then the curve E/F p : y 2 = x 3 + is alays such that r = r(x 0 ) n = #E(F p ). Similarly, for x 0 6 (mod 72), the desired curve is alays E/F p : y 2 = x Finally, for x 0 64 (mod 72), the desired curve is alays E/F p : y 2 = x 3 2. Proof. It is ell knon that if g is neither a square nor a cube in F p, then all possible group orders an elliptic curve E : y 2 = x 3 + b can have over F p occur as the order of one of the 6 tists ith b {, g, g 2, g 3, g 4, g 5 }. Specifically, choosing b as exactly one of {, g, g 2, g 3, g 4, g 5 } ill give the correct number of points (cf. [3, X.5]), i.e. the curve ith r n = #E(F p ). Lemma shos that e can take g = 2, so that in all four cases the correct b is exactly one of {, 2, 4, 8, 6, 32}. For both x 0 7 (mod 72) and x 0 3 (mod 72), e have n(x 0 ) = (x 0 ) 2 (x 8 0 x )/3 2 (mod 72) from (). Thus, both cases have 2, 3 n, meaning that the correct curves E/F p necessarily contain points of order 2 and points of order 3. This implies that b is both a quadratic and cubic residue modulo p, from hich it follos that b = is the only option. For x 0 6 (mod 72), observe that n(x 0 ) 3 (mod 72) and thus the correct curve E has a point of order 3, but not a point of order 2. This rules out b =, 8, since the points (, 0) and ( 2, 0) have order 2 on the respective curves. The
9 curve E/F p : y 2 = x 3 + b has a point of order 3 if and only if b is a square in F p, hich rules out b = 2, and therefore b = 32 as ell. To rule out b = 6, e first observe that since n = n(x 0 ) 3 (mod 72), 9 n and E/F p has at most three points of order 3. If b = 6, then to such points are (0, 4) and (0, 4). It is easy to see that 3 QR(p), so let ν 2 = 3 for ν F p, and rite P = ( 4, 4ν) E(F p ) : y 2 = x An easy calculation (e.g. using point doubling formulas) shos that [2]P = ( 4, 4ν) = P, so that P has order 3, and similarly for P. Thus, there are at least four points of order 3 in F p if b = 6 contradicting 9 n, hich leaves b = 4 as the only option. For x 0 64 (mod 72), e can make use of Algorithm 3.5 in [24], here in our case U = t/2 and V = f/2. Since 2V = f(x 0 ) 0 mod 3 and 2U = t(x 0 ) = 2 mod 3, e immediately have E/F p : y 2 = x as the correct curve. Lastly, since 2 QR(p), rite µ 2 = 2 for µ F p, so that µ 6 = 8. Since E/F p : y 2 = x is isomorphic to Ẽ/F p : y 2 = x 3 + 6/µ 6 over F p, e can take b = 6/ 8 = 2 as the curve constant instead. Proposition 4. If x 0 7 (mod 72) produces the BLS curve y 2 = x 3 + described in Proposition 3, and F p 4 is constructed as in Proposition 2, then the correct sextic tist ith r = r(x 0 ) #E (F p 4) can be obtained as both E /F p 4 = y 2 = x 3 + /v and E /F p 4 : y 2 = x 3 /v. Similarly, x 0 6 mod 72 gives rise to the correct tist as both E /F p 4 : y 2 = x 3 + 4v or E /F p 4 : y 2 = x 3 4v; x 0 3 mod 72 gives rise to the correct tist as both E /F p 4 : y 2 = x 3 + v or E /F p 4 : y 2 = x 3 v; and finally, x 0 64 mod 72 gives rise to the correct tist as both E /F p 4 : y 2 = x 3 + 2/v or E /F p 4 : y 2 = x 3 2/v. Proof. We first note that = u 6 is a sixth poer in F p 2. Therefore, for b F p 4, the curves given by y 2 = x 3 + b and y 2 = x 3 b are isomorphic over F p 4. In each case the correct tist E is unique ith the property that r #E (F p 4) and it has degree 6 (see [5]). Since there are exactly to tists of E of degree 6 over F p 4, there are only to possible group orders. We have #E(F p 4) = p 4 + t 4, here t 4 can be computed from t and f (notation as before) as t 4 = (t 4 8t 2 f 2 + 9f 2 )/8 (see [3, V.2]). If e define f 4 by 4p 4 = t f 2 4, the possible group orders for the sextic tist are given in [5] as n 4, = p 4 + (3f 4 t 4 )/2, n 4,2 = p 4 + ( 3f 4 t 4 )/2. We compute both n 4, and n 4,2 as polynomials in terms of the parametriation (), and evaluate them at each of the congruency classes hich reveals opposing parities each time. The remainder of the proof is essentially the same for all four congruencies classes, so e demonstrate completely ith x 0 6 (mod 72). Taking x 0 6 (mod 72) gives n 4, 28 (mod 72) and n 4,2 49 (mod 72). In particular, n 4, is even and n 4,2 is odd in this case. From the polynomial parametriation, it is easy to check that r n 4,. Therefore, the unique sextic tist e are looking for in this case has an even group order over F p 4. Proposition 2 shos that v is neither a square nor a cube in F p 4, so the correct tist can be given as y 2 = x 3 + 4v or as y 2 = x 3 + 4v 5. We have 4v = (N Fp 4 /Fp (v)) 2 v = v 3+2p+2p2 +2p 3 as in the proof of Proposition 2. Since the
10 exponent on the right hand side of the last equation is divisible by 3, e conclude that 4v is a cube in F p 4. Similarly, one can sho that 4v 5 is not a cube. Since 4v is a cube, the curve y 2 = x 3 + 4v has a point of order 2, namely ( c, 0) ith c 3 = 4v. Hence its order is even and e have found the correct tist for x 0 6 (mod 72). The other three cases are proven analogously. 3.2 The other congruency classes We no sho hy the four congruency classes x 0 7, 6, 3, 64 (mod 72) stand out over the other congruency classes. After all, restricting x 0 (mod 3) to any or all of the proposed classes essentially discards 20 out of 24 other congruency classes modulo 72. Of course, there ill alays be examples here some of the discarded congruency classes produce curves that also perform highly efficiently. Hoever, e argue that x 0 7, 6, 3, 64 (mod 72) are the only classes for hich e can alays simultaneously guarantee the propositions in the previous subsection. Quadratic extension to F p 2: We start by eliminating the classes of x 0 mod 72 hich do not facilitate the quadratic extension as F p 2 = F p (u), u 2 + = 0. Of the 24 possible x 0 values modulo 72 in {, 4, 7,..., 67, 70}, 2 have x 0, 0 (mod 2), hich alays (undesirably) produce p (mod 2). The remaining 2 are {4, 7, 6, 9, 28, 3, 40, 43, 52, 55, 64, 67} ith x 0 = 4, 7 (mod 2), hich alays produce p(x 0 ) 7 (mod 2). Quadratic extension to F p 4: If F p 4 is to be constructed as F p 4 = F p 2(v), v 2 + u + = 0, then (refer back to the proof of Proposition 2) e can only guarantee this if N Fp 2 /F p ( (u + )) = 2 is not a quadratic residue in F p. Substituting the remaining 2 candidates for x 0 (mod 72) into () reveals only 4 possibilities for p (mod 72), those being p 7, 9, 43, 55 (mod 72). It is easy to check that only to of these have 2 / QR(p), namely p 9, 43 (mod 72). These correspond to 6 of the remaining x 0 congruencies, shrinking the pool of preferred candidates to {7, 6, 3, 40, 55, 64}. Sextic extension to F p 24: The proposed sextic extensions in Proposition 2 that employ simple binomials to form F p 24 over F p 4 require that 2 is not a cube in F p. This does not alays happen for x 0 {40, 55}. For the sake of counter examples, x 0 = (mod 72) and x 0 = (mod 72) produce BLS curves here 2 is a cube modulo p, and therefore fields hich can not use the toer in Proposition 2. Even if alternative binomials can be found in such cases, the fact that 2 is a cubic residue also affects the ease of guaranteeing the smallest identical curve constant b for all curves in the subfamily, as e ere able to do for the proposed four congruency classes in Proposition 3. For example, the smallest curve constant for the curve found ith x 0 = (mod 72) is b = 3, hilst the smallest constant for the curve found ith x 0 = (mod 72) is b = 9.
11 4 Choosing simple lines: tisting vs. untisting The aim of this short section is to detail some choices that can facilitate more simple (and theoretically faster) pairing code. For 28-bit security BN implementations, the complexity of a single Miller loop is higher than complexity of a single final exponentiation (see any of [22, 7, ]). Hoever, as the security level and embedding degree increases, a final exponentiation becomes much more costly than a Miller loop [] (or see our timings in Appendix A). This could influence implementors paying less attention to more complicated subtleties ithin the Miller loop, like adopting projective coordinates, and instead focusing on speedups ithin the exponentiation routine. On the other hand, a large number of recent pairing protocols like attribute-based encryption (ABE) require many Miller loops for each exponentiation (see Scott s recent ork [27] for an in depth look), and therefore in these scenarios savings ithin the loop again become more significant overall. In any case, a thoroughly optimied implementation ill make use of the fastest formulas inside the Miller loop, so even though our implementation slightly favored affine coordinates, and indeed Scott s current 256-bit record [27] also employed affine coordinates, it could ell be that a thoroughly optimied projective routine (like [] for k = 2) ends up outperforming affine formulas at this level too. We refer to [8, 9, 8] for ays to find the most efficient coordinate system depending on the specific protocol and implementation situation. As e mentioned briefly in the previous section, the choice of hich toer (T, T 2, T 3 in Proposition 2) to use in an implementation could be influenced by a number of factors. For example, if lo bandidth requirements favored maximum compression techniques [28], then T ould seem most appropriate. On the other hand, if the major priority is ra speed, then one could employ the field arithmetic presented in [0, 6] and favor the (slightly faster) quadratic over cubic extension offered by T 3. Or perhaps most commonly, if the implementor is adopting BLS curves to scale a prior (say BN) pairing implementation to a higher security level, then the toered code for the BN sextic extension from F p 2 to F p 2 could be easily updated to BLS code for the extension from F p 4 to F p 24. In any case, there are efficient formulas available for all three of the toering choices [0, 9], so e ill treat all three cases in parallel and highlight the differences that arise. One such difference lies in the sparse doubling and addition lines that are used to update the pairing function. For each of the proposed congruency classes, Table 2 follos the exposition in [26, 5] and details the correct placing of the line function coefficients for the three toer choices T, T 2, T 3 and the to tist choices in Proposition 4, both of hich have the same group order but result in different looking line functions. The point P is alays kept in affine coordinates (x P, y P ). For the affine formulas the line simply is l(p ) = y P λx P c, here λ F p 4 is the slope of the line as usual and c F p 4 is the constant coefficient. Projective formulas for these line functions usually output three coefficients L 0,0, L,0, L 0, F p 4 [9] that define the evaluated update l(p ) = L 0,0 + L,0 x ψ (P ) + L 0, y ψ (P ) F p 24
12 by being attached to different algebraic elements in the representation of F p 24 over F p 4 depending on the tisting isomorphism ψ. In all cases l(p ) is a sparse element of F p 24, ith the only difference being the places that the l i occupy as a result of the different algebraic toerings and maybe a sign change. To explain the different lines in Table 2, let us briefly look at the conversion beteen representations of an element in the different toering options T, T 2, and T 3. Let us start ith an element a in T 2 given by the coefficients a 0,..., a 5 F p 4, i.e. a = a 0 + a + a a a a 5 5. Converting to T, e take 3 and thus the same element is represented as a = (a 0 + a 3 ) + (a + a 4 ) + (a 2 + a 5 ) 2. To go to T 3, e use u (i.e. 2 ) and obtain a = (a 0 + a 2 + a 4 2 ) + ( a u a 3 u a 5 u 2 ). An optimied routine must take advantage of the sparse nature of l(p ) and tailor make a specialied multiplication routine to exploit the presence of ero entries. Roughly speaking, the options in Table 2 ill give rise to similar speeds, but it is obvious to see hich tist constant an implementor ould choose (all other things being equal) if their choice of toer is already concrete. For example, if T is the chosen toer, then using b = 4v gives a slightly easier line function to code than using b = 4v. A more important difference arises hen choosing hether to leave P E and untist Q E to Q E for the line function computation, or choosing to put both points on the tist for the entire routine [9]. The nature of the proposed toer actually means that there is a significant difference beteen the simplicity of the tisting and untisting isomorphisms, and one option ill be more desirable to implement than the other. For example, hen using T and b = 4v, the untisting isomorphism ψ is ψ : (x, y ) (x/ 2, y/) = (v(u )/2 x, v( u)/2 y ), hich is more annoying to code (and theoretically slightly sloer) than using ψ : (x, y) ( 2 x, y) to tist the second argument P instead. On the other hand, if the tist is given as E : y 2 = x 3 ± b/v, as is the cases hen x 0 7, 64 (mod 72), then it is the untisting isomorphism that is clearly preferable. 5 The final exponentiation An optimied final exponentiation routine is critical for fast pairings at highsecurity levels. Scott et al. [29] propose the most efficient algorithm to date, hich exploits the polynomial representations of p and r to reduce the ork encountered after the Miller loop. The first step is to split the exponent into to parts by factoring (p k )/r and exploiting the Frobenius operator hich raises elements to the poer of p almost for free. In our case the exponent splits as: (p 24 )/r = [(p 2 ) (p 4 + )] [(p 8 p 4 + )/r]. hard part After exploiting Frobenius operations to quickly raise the output of the Miller loop to the exponent in the left square parentheses, e then face the major
13 cong. tist toer tist isomorphism Miller lines class b choice ψ : E E Affine Projective T (x, y) ( 2 x, uy) [ bv T2 (x, y) ( 2 x, u 3 y) [ 6,3 T3 (x, y) ( x, y) [ T (x, y) ( 2 x, y) [ bv T2 (x, y) ( 2 x, 3 y) [ T3 (x, y) (x, uy) [ c c c : c c c : : yp u 0 : 2 λ xp : : λ xp : yp 0 : : λ xp 0 : 0 : : 0 2 λ xp 3 yp u : 0 : yp 2 λ xp 2 λ xp : 3 yp : : : : 0 ] [ 5 0 ] [ : 0 ] [ : 0 : yp u L0,0 L0,0 : L0,0 : 0 ] [ 5 0 ] [ : 0 ] [ 2 L0,0 L0,0 L0,0 : : L0, yp u 0 : 2 L,0 xp : : L,0 xp : L0, yp 0 : : L,0 xp 2 0 : 0 : 0 2 L,0 xp : tist toer untist isomorphism Miller lines b choice ψ : E E Affine Projective T (x, y ) ( 2 x, uy ) [ yp b/v T2 (x, y ) ( 2 x, u 3 y ) [ yp : 7,64 T3 (x, y ) ( x, y ) [ T (x, y ) ( 2 x, y ) [ : c u yp b/v T2 (x, y ) ( 2 x, 3 y ) [ yp : T3 (x, y) (x, uy ) [ yp λ u xp : yp : 0 : 0 2 : c : 0 : 0 2 λ xp : λ xp u 2 0 : λ xp λ xp 2 0 : λ u xp : 0 3 c u : : c : 0 3 c : 2 0 : 0 ] [ 4 0 : 5 0 ] [ : 0 ] [ 2 L0, yp L0, yp : 2 0 : 0 ] [ 4 0 : : c u : L0,0 u : : 0 L,0 u xp : L0, yp yp 5 0 ] [ yp : : 0 ] [ 2 yp : 0 : 0 2 : L0,0 : 0 : 0 2 L,0 xp : L,0 3 2 L0, yp u : 0 : L0, yp 2 L,0 xp 3 L0, yp : xp : 0 ] 4 0 : 4 0 : 0 : L0, yp u L,0 xp u 2 0 : L,0 xp L,0 xp 2 0 : L,0 u xp 3 3 : 0 L0,0 u : : 0 L0,0 : : L0,0 2 0 : 0 ] 4 0 : : L0,0 u 5 0 ] : 0 ] 2 : 0 ] 5 0 ] 5 0 ] : 0 ] : 0 ] 4 0 : : 0 ] 2 : 0 ] 2 Table 2. Details of the Miller line function depending on the choice of toer (and tist constant). 5 0 ]
14 bottle-neck in the exponentiation: raising a value m F p 24 to the poer of the hard part. One helpful observation hich aids the remaining computations is that, after exponentiation to the poer p 2, the value m F p 24 is no such that N Fp 24 /F (m) =. This allos any inversions in F p 2 p24 to be computed for free using a simple conjugation [28, 2, 29], and any squarings in F p 24 to be computed more efficiently than standard squarings [3, 7, ]. To apply the algorithm in [29], e use the parameteriations in () to rite the hard part as (p(x) 8 p(x) 4 + )/r(x) = 7 λ i (x)p(x) i. In an appendix of her thesis, Benger [5] computed the λ i for a range of curve families, including BLS curves ith k = 24, giving λ i = ν i /3, here ν 7 (x) = x 2 2x +, ν 6 (x) = x 3 2x 2 + x = x ν 7 (x), ν 5 (x) = x 4 2x 3 + x 2 = x ν 6 (x), ν 4 (x) = x 5 2x 4 + x 3 = x ν 5 (x), i=0 ν 3 (x) = x 6 2x 5 + x 4 x 2 + 2x = x ν 4 (x) ν 7 (x), ν 2 (x) = x 7 2x 6 + x 5 x 3 + 2x 2 x = x ν 3 (x), ν (x) = x 8 2x 7 + x 6 x 4 + 2x 3 x 2 = x ν 2 (x), ν 0 (x) = x 9 2x 8 + x 7 x 5 + 2x 4 x = x ν (x) + 3. This representation reveals another nice property exhibited by k = 24 BLS curves: namely, a very convenient ay to compute the ν i ith essentially just multiplications by x. Letting µ i = m νi(x0), this structure allos us to rite the hard part of the final exponentiation as m (p8 p 4 +)/r = µ 0 µ p µp2 2 µp3 3 µp4 4 µp5 5 µp6 6 µp7 7, here the µ i can be computed using the folloing sequence of operations: µ 7 = (m x0 ) x0 (m x0 ) 2 m, µ 6 = (µ 7 ) x0, µ 5 = (µ 6 ) x0, µ 4 = (µ 5 ) x0, µ 3 = (µ 4 ) x0 (µ 7 ), µ 2 = (µ 3 ) x0, µ = (µ 2 ) x0, µ 0 = (µ ) x0 m 2 m. The computation of m (p8 p 4 +)/r requires 9 exponentiations by x 0, 2 multiplications in F p 24, 2 special squarings, 2 conjugations to compute the inverses and 7 p-poer Frobenius operations. We detail a possible scheduling for the full exponentiation routine in Table 3. Note that e can simply forget about the difference beteen the λ i and the ν i ; by leaving aay the 3 in the denominators, e just compute the third poer of the pairing. By far the most costly stage of the final exponentiation is the nine exponentiations by x 0, hich are performed using a standard square-and-multiply routine.
15 FinalExp Input: f r,q(p ) F p 24 and loop parameter x 0 Initialie f f r,q(p ), t 0 /f, m f, m m t 0, t 0 π 4 p(m), m m t 0, m m x, m 2 m x m m 2, m m, µ 7 m 2 m, µ 7 µ 7 m, µ 6 µ x 7, µ 5 µ x 6, µ 4 µ x 5, µ 7 µ 7, µ 3 µ x 4, µ 3 µ 3 µ 7, µ 2 µ x 3, µ µ x 2, µ 0 µ x, m m 2, µ 0 µ 0 m, µ 0 µ 0 m, f π p(µ 7), f f µ 6, f π p(f), f f µ 5, f π p(f), f f µ 4, f π p(f), f f µ 3, f π p(f), f f µ 2, f π p(f), f f µ, f π p(f), f f µ 0, Return f r,q(p ) (p24 )/r f. Output: f r,q(p ) (p24 )/r Table 3. The final exponentiation for BLS curves ith k = 24 This is here the BLS pairing computation benefits most from the faster squarings in F p 24, and also from an x 0 value that has lo hamming-eight hich reduces the F p 24 multiplications encountered. In the folloing section e give several examples of very lo hamming-eight x 0 values that give rise to curves in the proposed implementation-friendly BLS subfamily. 6 Example curves This section provides four lists of implementation-friendly BLS curves at security levels here the entire BLS family is either competitive across all families, or is clearly the current outright favorite. Each list (Table 4 through to Table 7) corresponds to one of the four proposed subfamilies. We start ith 92-bit security since our timings of a C implementation of the optimal ate pairing at this level (see Appendix A) agreed ith Scott s comment [27] that the stand-out candidate curve family at this level is not yet as obvious as the 28- and 256-bit levels. In our implementation both a k = 2 BN curve and k = 24 BLS curve outperformed a k = 8 KSS curve at this level. Each table lists curves here x 0 is very sparse in signed binary representation, meaning here that it has eight 3, 4 or 5. Working ith signed binary representation for the Miller loop parameter and the poerings in the final exponentiation can be considered standard and extends the space of nice curves compared to just using plain binary representation. Nevertheless, e also included many x 0 values hich have the same plain binary representation as the signed binary representation; these are the x 0 values hich share the same sign for each poer of 2. All curves given have the implementation-friendly properties outlined in the previous sections. In particular, curves in Table 4 and Table 6 have x 0 7
16 (mod 72) and x 0 3 (mod 72) respectively, and are given by E : y 2 = x 3 + ; curves in Table 5 have x 0 6 (mod 72) and are given by E : y 2 = x 3 + 4, and curves in Table 7 have x 0 64 (mod 72) and are given by y 2 = x 3 2. In all cases all parameters are uniquely defined by the short value x 0. The curves in all four tables ere found by trying all possibilities for the signed binary representation of x 0 ith a fixed eight such that x 0 belongs to the right congruence class modulo 72. In our search, e did not find any curves in the considered range of parameter sies here x 0 is plus or minus a poer of 2 (i.e. eight ) or here it is a binomial, a sum of to such poers (i.e. eight 2). In this sense, our search indicates that eights 3, 4 and 5 are optimal for the security levels considered in this paper. The even congruencies (x 0 6, 64 (mod 72)) gain the slight advantage over the odd congruencies (x 0 7, 3 (mod 72)), since the last bit of the binary representation of odd congruencies is obviously forced to be. Thus, curves in the even congruency classes commonly have eights 3 and 4 hilst curves in the odd congruency classes commonly have eights 4 and 5. On the other hand, the odd congruencies both give rise to curves ith b = hich ould make for slightly faster point operations, but (all other things being equal) one ould probably achieve a faster implementation by taking the x 0 value ith the loest eight possible, since one less bit in x 0 saves over 0 full F p 24 multiplications per single pairing. Restricting x 0 to sparse values only results in a certain inflexibility hen adjusting the parameter sies to exact values, for example certain multiples of ord sies on a target implementation platform. Hoever, recent high-speed implementations of pairings at the 28-bit security level have shon that lay reduction techniques give significant improvements in the field toer arithmetic and thus the overall pairing computation [7, ]. Such techniques can be employed efficiently hen the bit sie of the prime characteristic p is a fe bits less than a multiple of the ord sie, hich provides a certain space for delaying reductions for field arithmetic. In Tables 4, 5, 6 and 7 e have tried to account for this (as far as possible), by including different choices of curves at each security level that have a varying gap beteen the prime field sie and multiples of standard ord sies 32 and 64, hich are also given in the table. We believe that most implementors of pairings in softare ill find a suitable curve at the desired security level in our tables, or else ill be able to find a suitable curve themselves ith similar properties. References. Diego F. Aranha, Koray Karabina, Patrick Longa, Catherine H. Gebotys, and Julio Lópe. Faster explicit formulas for computing pairings over ordinary curves. In Kenneth G. Paterson, editor, EUROCRYPT, volume 6632 of Lecture Notes in Computer Science, pages Springer, Elaine Barker, William Barker, William Burr, William Polk, and Miles Smid. Recommendation for key management - part : General (revised). Technical report, NIST National Institute of Standards and Technology, Published as
17 security x 0 7 (mod 72) eight p ords r ords security level (bits) for p (bits) for r (bits) Table 4. BLS curves ith lo-eight parameter x 0 7 (mod 72) aiming at several security levels given in the first column. The columns ords for p and ords for r give the necessary number of 32- or 64-bit ords to store the values for p and r, respectively. The last column provides the estimated actual security by the formula in [32].
18 security x 0 6 (mod 72) eight p ords r ords security level (bits) for p (bits) for r (bits) Table 5. BLS curves ith lo-eight parameter x 0 6 (mod 72) aiming at several security levels given in the first column. The columns ords for p and ords for r give the necessary number of 32- or 64-bit ords to store the values for p and r, respectively. The last column provides the estimated actual security by the formula in [32].
19 security x 0 3 (mod 72) eight p ords r ords security level (bits) for p (bits) for r (bits) Table 6. BLS curves ith lo-eight parameter x 0 3 (mod 72) aiming at several security levels given in the first column. The columns ords for p and ords for r give the necessary number of 32- or 64-bit ords to store the values for p and r, respectively. The last column provides the estimated actual security by the formula in [32].
20 security x 0 64 (mod 72) eight p ords r ords security level (bits) for p (bits) for r (bits) Table 7. BLS curves ith lo-eight parameter x 0 64 (mod 72) aiming at several security levels given in the first column. The columns ords for p and ords for r give the necessary number of 32- or 64-bit ords to store the values for p and r, respectively. The last column provides the estimated actual security by the formula in [32].
Constructing Tower Extensions of Finite Fields for Implementation of Pairing-Based Cryptography
Constructing Tower Extensions of Finite Fields for Implementation of Pairing-Based Cryptography Naomi Benger and Michael Scott, 1 School of Computing, Dublin City University, Ireland nbenger@computing.dcu.ie
More informationPairings for Cryptography
Pairings for Cryptography Michael Naehrig Technische Universiteit Eindhoven Ñ ÐÖÝÔØÓ ºÓÖ Nijmegen, 11 December 2009 Pairings A pairing is a bilinear, non-degenerate map e : G 1 G 2 G 3, where (G 1, +),
More informationPairings at High Security Levels
Pairings at High Security Levels Michael Naehrig Eindhoven University of Technology michael@cryptojedi.org DoE CRYPTODOC Darmstadt, 21 November 2011 Pairings are efficient!... even at high security levels.
More informationConstructing Abelian Varieties for Pairing-Based Cryptography
for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers
More informationFaster Pairings on Special Weierstrass Curves
craig.costello@qut.edu.au Queensland University of Technology Pairing 2009 Joint work with Huseyin Hisil, Colin Boyd, Juanma Gonzalez-Nieto, Kenneth Koon-Ho Wong Table of contents 1 Introduction The evolution
More informationSpeeding up Ate Pairing Computation in Affine Coordinates
Speeding up Ate Pairing Computation in Affine Coordinates Duc-Phong Le and Chik How Tan Temasek Laboratories, National University of Singapore, 5A Engineering Drive 1, #09-02, Singapore 11711. (tslld,tsltch)@nus.edu.sg
More informationFast hashing to G2 on pairing friendly curves
Fast hashing to G2 on pairing friendly curves Michael Scott, Naomi Benger, Manuel Charlemagne, Luis J. Dominguez Perez, and Ezekiel J. Kachisa School of Computing Dublin City University Ballymun, Dublin
More informationSome Efficient Algorithms for the Final Exponentiation of η T Pairing
Some Efficient Algorithms for the Final Exponentiation of η T Pairing Masaaki Shirase 1, Tsuyoshi Takagi 1, and Eiji Okamoto 2 1 Future University-Hakodate, Japan 2 University of Tsukuba, Japan Abstract.
More informationAnalysis of Optimum Pairing Products at High Security Levels
Analysis of Optimum Pairing Products at High Security Levels Xusheng Zhang and Dongdai Lin Institute of Software, Chinese Academy of Sciences Institute of Information Engineering, Chinese Academy of Sciences
More informationAn Analysis of Affine Coordinates for Pairing Computation
An Analysis of Affine Coordinates for Pairing Computation Kristin Lauter, Peter L. Montgomery, and Michael Naehrig Microsoft Research, One Microsoft Way, Redmond, WA 98052, USA {klauter, petmon, mnaehrig}@microsoft.com
More informationPairing-Friendly Elliptic Curves of Prime Order
Pairing-Friendly Elliptic Curves of Prime Order Paulo S. L. M. Barreto 1 Michael Naehrig 2 1 University of São Paulo pbarreto@larc.usp.br 2 RWTH Aachen University mnaehrig@ti.rwth-aachen.de SAC 2005 Outline
More informationConstructing Pairing-Friendly Elliptic Curves for Cryptography
Constructing Pairing-Friendly Elliptic Curves for Cryptography University of California, Berkeley, USA 2nd KIAS-KMS Summer Workshop on Cryptography Seoul, Korea 30 June 2007 Outline 1 Pairings in Cryptography
More informationA Generalization of a result of Catlin: 2-factors in line graphs
AUSTRALASIAN JOURNAL OF COMBINATORICS Volume 72(2) (2018), Pages 164 184 A Generalization of a result of Catlin: 2-factors in line graphs Ronald J. Gould Emory University Atlanta, Georgia U.S.A. rg@mathcs.emory.edu
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationOn a generalized combinatorial conjecture involving addition mod 2 k 1
On a generalized combinatorial conjecture involving addition mod k 1 Gérard Cohen Jean-Pierre Flori Tuesday 14 th February, 01 Abstract In this note, e give a simple proof of the combinatorial conjecture
More informationEfficient Implementation of Cryptographic pairings. Mike Scott Dublin City University
Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things Efficient algorithms Suitable elliptic curves We have got
More informationTheorem 5.3. Let E/F, E = F (u), be a simple field extension. Then u is algebraic if and only if E/F is finite. In this case, [E : F ] = deg f u.
5. Fields 5.1. Field extensions. Let F E be a subfield of the field E. We also describe this situation by saying that E is an extension field of F, and we write E/F to express this fact. If E/F is a field
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationA connection between number theory and linear algebra
A connection between number theory and linear algebra Mark Steinberger Contents 1. Some basics 1 2. Rational canonical form 2 3. Prime factorization in F[x] 4 4. Units and order 5 5. Finite fields 7 6.
More informationCHAPTER 3 THE COMMON FACTOR MODEL IN THE POPULATION. From Exploratory Factor Analysis Ledyard R Tucker and Robert C. MacCallum
CHAPTER 3 THE COMMON FACTOR MODEL IN THE POPULATION From Exploratory Factor Analysis Ledyard R Tucker and Robert C. MacCallum 1997 19 CHAPTER 3 THE COMMON FACTOR MODEL IN THE POPULATION 3.0. Introduction
More informationScalar multiplication in compressed coordinates in the trace-zero subgroup
Scalar multiplication in compressed coordinates in the trace-zero subgroup Giulia Bianco and Elisa Gorla Institut de Mathématiques, Université de Neuchâtel Rue Emile-Argand 11, CH-2000 Neuchâtel, Switzerland
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 8 February 1, 2012 CPSC 467b, Lecture 8 1/42 Number Theory Needed for RSA Z n : The integers mod n Modular arithmetic GCD Relatively
More informationEfficient Implementation of Cryptographic pairings. Mike Scott Dublin City University
Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things l Efficient algorithms l Suitable elliptic curves We have
More informationAverage Coset Weight Distributions of Gallager s LDPC Code Ensemble
1 Average Coset Weight Distributions of Gallager s LDPC Code Ensemble Tadashi Wadayama Abstract In this correspondence, the average coset eight distributions of Gallager s LDPC code ensemble are investigated.
More informationAsymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)
Asymmetric Pairings Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp) 1 Overview In their 2006 paper "Pairings for cryptographers", Galbraith, Paterson and Smart identified three
More informationreader is comfortable with the meaning of expressions such as # g, f (g) >, and their
The Abelian Hidden Subgroup Problem Stephen McAdam Department of Mathematics University of Texas at Austin mcadam@math.utexas.edu Introduction: The general Hidden Subgroup Problem is as follos. Let G be
More informationElliptic Curves Spring 2013 Lecture #12 03/19/2013
18.783 Elliptic Curves Spring 2013 Lecture #12 03/19/2013 We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring
More informationKatherine Stange. Pairing, Tokyo, Japan, 2007
via via Department of Mathematics Brown University http://www.math.brown.edu/~stange/ Pairing, Tokyo, Japan, 2007 Outline via Definition of an elliptic net via Definition (KS) Let R be an integral domain,
More informationFast, twist-secure elliptic curve cryptography from Q-curves
Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16,
More informationPoints of Finite Order
Points of Finite Order Alex Tao 23 June 2008 1 Points of Order Two and Three If G is a group with respect to multiplication and g is an element of G then the order of g is the minimum positive integer
More informationOptimal TNFS-secure pairings on elliptic curves with even embedding degree
Optimal TNFS-secure pairings on elliptic curves with even embedding degree Georgios Fotiadis 1 and Chloe Martindale 2 1 University of the Aegean, Greece gfotiadis@aegean.gr 2 Technische Universiteit Eindhoven,
More informationALGEBRA. 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers
ALGEBRA CHRISTIAN REMLING 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers by Z = {..., 2, 1, 0, 1,...}. Given a, b Z, we write a b if b = ac for some
More information22. The Quadratic Sieve and Elliptic Curves. 22.a The Quadratic Sieve
22. The Quadratic Sieve and Elliptic Curves 22.a The Quadratic Sieve Sieve methods for finding primes or for finding factors of numbers are methods by which you take a set P of prime numbers one by one,
More informationOn the Optimal Pre-Computation of Window τ NAF for Koblitz Curves
On the Optimal Pre-Computation of Window τ NAF for Koblitz Curves William R. Trost and Guangwu Xu Abstract Koblitz curves have been a nice subject of consideration for both theoretical and practical interests.
More informationBivariate Uniqueness in the Logistic Recursive Distributional Equation
Bivariate Uniqueness in the Logistic Recursive Distributional Equation Antar Bandyopadhyay Technical Report # 629 University of California Department of Statistics 367 Evans Hall # 3860 Berkeley CA 94720-3860
More informationGALOIS GROUPS OF CUBICS AND QUARTICS (NOT IN CHARACTERISTIC 2)
GALOIS GROUPS OF CUBICS AND QUARTICS (NOT IN CHARACTERISTIC 2) KEITH CONRAD We will describe a procedure for figuring out the Galois groups of separable irreducible polynomials in degrees 3 and 4 over
More informationEcon 201: Problem Set 3 Answers
Econ 20: Problem Set 3 Ansers Instructor: Alexandre Sollaci T.A.: Ryan Hughes Winter 208 Question a) The firm s fixed cost is F C = a and variable costs are T V Cq) = 2 bq2. b) As seen in class, the optimal
More informationOn the approximation of real powers of sparse, infinite, bounded and Hermitian matrices
On the approximation of real poers of sparse, infinite, bounded and Hermitian matrices Roman Werpachoski Center for Theoretical Physics, Al. Lotnikó 32/46 02-668 Warszaa, Poland Abstract We describe a
More informationFormulas for cube roots in F 3 m
Discrete Applied Mathematics 155 (2007) 260 270 www.elsevier.com/locate/dam Formulas for cube roots in F 3 m Omran Ahmadi a, Darrel Hankerson b, Alfred Menezes a a Department of Combinatorics and Optimization,
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 9 September 30, 2015 CPSC 467, Lecture 9 1/47 Fast Exponentiation Algorithms Number Theory Needed for RSA Elementary Number Theory
More informationMath 249B. Geometric Bruhat decomposition
Math 249B. Geometric Bruhat decomposition 1. Introduction Let (G, T ) be a split connected reductive group over a field k, and Φ = Φ(G, T ). Fix a positive system of roots Φ Φ, and let B be the unique
More informationAn Investigation of the use of Spatial Derivatives in Active Structural Acoustic Control
An Investigation of the use of Spatial Derivatives in Active Structural Acoustic Control Brigham Young University Abstract-- A ne parameter as recently developed by Jeffery M. Fisher (M.S.) for use in
More informationFaster Explicit Formulas for Computing Pairings over Ordinary Curves
Faster Explicit Formulas for Computing Pairings over Ordinary Curves Diego F. Aranha 2, Koray Karabina 1, Patrick Longa 1, Catherine H. Gebotys 1, Julio López 2 1 University of Waterloo, {kkarabin,plonga,cgebotys}@uwaterloo.ca
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationP-adic numbers. Rich Schwartz. October 24, 2014
P-adic numbers Rich Schwartz October 24, 2014 1 The Arithmetic of Remainders In class we have talked a fair amount about doing arithmetic with remainders and now I m going to explain what it means in a
More informationA Note on Scalar Multiplication Using Division Polynomials
1 A Note on Scalar Multiplication Using Division Polynomials Binglong Chen, Chuangqiang Hu and Chang-An Zhao Abstract Scalar multiplication is the most important and expensive operation in elliptic curve
More informationTC10 / 3. Finite fields S. Xambó
TC10 / 3. Finite fields S. Xambó The ring Construction of finite fields The Frobenius automorphism Splitting field of a polynomial Structure of the multiplicative group of a finite field Structure of the
More informationbe any ring homomorphism and let s S be any element of S. Then there is a unique ring homomorphism
21. Polynomial rings Let us now turn out attention to determining the prime elements of a polynomial ring, where the coefficient ring is a field. We already know that such a polynomial ring is a UFD. Therefore
More informationEffects of Asymmetric Distributions on Roadway Luminance
TRANSPORTATION RESEARCH RECORD 1247 89 Effects of Asymmetric Distributions on Roaday Luminance HERBERT A. ODLE The current recommended practice (ANSIIIESNA RP-8) calls for uniform luminance on the roaday
More informationHigh-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition
High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition Joppe W. Bos 1, Craig Costello 1, Huseyin Hisil 2, and Kristin Lauter 1 1 Microsoft Research, Redmond, USA 2 Yasar University,
More informationSM9 identity-based cryptographic algorithms Part 1: General
SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...
More informationDecomposing Bent Functions
2004 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 49, NO. 8, AUGUST 2003 Decomposing Bent Functions Anne Canteaut and Pascale Charpin Abstract In a recent paper [1], it is shown that the restrictions
More informationBloom Filters and Locality-Sensitive Hashing
Randomized Algorithms, Summer 2016 Bloom Filters and Locality-Sensitive Hashing Instructor: Thomas Kesselheim and Kurt Mehlhorn 1 Notation Lecture 4 (6 pages) When e talk about the probability of an event,
More informationAn Analysis of Affine Coordinates for Pairing Computation
An Analysis of Affine Coordinates for Pairing Computation Michael Naehrig Microsoft Research mnaehrig@microsoft.com joint work with Kristin Lauter and Peter Montgomery Microsoft Research Pairing 2010,
More informationA TAXONOMY OF PAIRING-FRIENDLY ELLIPTIC CURVES
A TAXONOMY OF PAIRING-FRIENDLY ELLIPTIC CURVES DAVID FREEMAN 1, MICHAEL SCOTT 2, AND EDLYN TESKE 3 1 Department of Mathematics University of California, Berkeley Berkeley, CA 94720-3840 USA dfreeman@math.berkeley.edu
More informationLecture 6: Finite Fields
CCS Discrete Math I Professor: Padraic Bartlett Lecture 6: Finite Fields Week 6 UCSB 2014 It ain t what they call you, it s what you answer to. W. C. Fields 1 Fields In the next two weeks, we re going
More informationSymmetries and Polynomials
Symmetries and Polynomials Aaron Landesman and Apurva Nakade June 30, 2018 Introduction In this class we ll learn how to solve a cubic. We ll also sketch how to solve a quartic. We ll explore the connections
More informationFour-Dimensional GLV Scalar Multiplication
Four-Dimensional GLV Scalar Multiplication ASIACRYPT 2012 Beijing, China Patrick Longa Microsoft Research Francesco Sica Nazarbayev University Elliptic Curve Scalar Multiplication A (Weierstrass) elliptic
More informationChapter 3: Polynomial and Rational Functions
Chapter 3: Polynomial and Rational Functions 3.1 Polynomial Functions A polynomial on degree n is a function of the form P(x) = a n x n + a n 1 x n 1 + + a 1 x 1 + a 0, where n is a nonnegative integer
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationConstructing genus 2 curves over finite fields
Constructing genus 2 curves over finite fields Kirsten Eisenträger The Pennsylvania State University Fq12, Saratoga Springs July 15, 2015 1 / 34 Curves and cryptography RSA: most widely used public key
More information= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2
8. p-adic numbers 8.1. Motivation: Solving x 2 a (mod p n ). Take an odd prime p, and ( an) integer a coprime to p. Then, as we know, x 2 a (mod p) has a solution x Z iff = 1. In this case we can suppose
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationy(x) = x w + ε(x), (1)
Linear regression We are ready to consider our first machine-learning problem: linear regression. Suppose that e are interested in the values of a function y(x): R d R, here x is a d-dimensional vector-valued
More informationFaster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves
Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves Junfeng Fan, Frederik Vercauteren and Ingrid Verbauwhede Katholieke Universiteit Leuven, COSIC May 18, 2009 1 Outline What is
More informationLong run input use-input price relations and the cost function Hessian. Ian Steedman Manchester Metropolitan University
Long run input use-input price relations and the cost function Hessian Ian Steedman Manchester Metropolitan University Abstract By definition, to compare alternative long run equilibria is to compare alternative
More informationSelecting Elliptic Curves for Cryptography Real World Issues
Selecting Elliptic Curves for Cryptography Real World Issues Michael Naehrig Cryptography Research Group Microsoft Research UW Number Theory Seminar Seattle, 28 April 2015 Elliptic Curve Cryptography 1985:
More informationFixed Argument Pairings
craig.costello@qut.edu.au Queensland University of Technology LatinCrypt 2010 Puebla, Mexico Joint work with Douglas Stebila Pairings A mapping e : G 1 G 2 G T : P G 1, Q G 2 and e(p, Q) G T : groups are
More information1 Overview and revision
MTH6128 Number Theory Notes 1 Spring 2018 1 Overview and revision In this section we will meet some of the concerns of Number Theory, and have a brief revision of some of the relevant material from Introduction
More informationElliptic Curves Spring 2013 Lecture #8 03/05/2013
18.783 Elliptic Curves Spring 2013 Lecture #8 03/05/2013 8.1 Point counting We now consider the problem of determining the number of points on an elliptic curve E over a finite field F q. The most naïve
More informationA TAXONOMY OF PAIRING-FRIENDLY ELLIPTIC CURVES
A TAXONOMY OF PAIRING-FRIENDLY ELLIPTIC CURVES DAVID FREEMAN, MICHAEL SCOTT, AND EDLYN TESKE Abstract. Elliptic curves with small embedding degree and large prime-order subgroup are key ingredients for
More informationFast Cryptography in Genus 2
Fast Cryptography in Genus 2 Joppe W. Bos, Craig Costello, Huseyin Hisil and Kristin Lauter EUROCRYPT 2013 Athens, Greece May 27, 2013 Fast Cryptography in Genus 2 Recall that curves are much better than
More informationOn compressible pairings and their computation
On compressible pairings and their computation Michael Naehrig 1, Paulo S. L. M. Barreto 2, and Peter Schwabe 1 1 Department of Mathematics and Computer Science Technische Universiteit Eindhoven, P.O.
More informationComputing a Lower Bound for the Canonical Height on Elliptic Curves over Q
Computing a Lower Bound for the Canonical Height on Elliptic Curves over Q John Cremona 1 and Samir Siksek 2 1 School of Mathematical Sciences, University of Nottingham, University Park, Nottingham NG7
More informationFrequency Domain Finite Field Arithmetic for Elliptic Curve Cryptography
Frequency Domain Finite Field Arithmetic for Elliptic Curve Cryptography Selçuk Baktır, Berk Sunar {selcuk,sunar}@wpi.edu Department of Electrical & Computer Engineering Worcester Polytechnic Institute
More informationElliptic Curves Spring 2015 Lecture #23 05/05/2015
18.783 Elliptic Curves Spring 2015 Lecture #23 05/05/2015 23 Isogeny volcanoes We now want to shift our focus away from elliptic curves over C and consider elliptic curves E/k defined over any field k;
More informationIntroduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013
18.78 Introduction to Arithmetic Geometry Fall 013 Lecture #4 1/03/013 4.1 Isogenies of elliptic curves Definition 4.1. Let E 1 /k and E /k be elliptic curves with distinguished rational points O 1 and
More informationSecurity Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2
Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 ) December 2001 Contents Summary 2 Detailed Evaluation 3 1 The Elliptic Curve Method 3 1.1 The ECM applied to N = p d............................
More informationYou could have invented Supersingular Isogeny Diffie-Hellman
You could have invented Supersingular Isogeny Diffie-Hellman Lorenz Panny Technische Universiteit Eindhoven Πλατανιάς, Κρήτη, 11 October 2017 1 / 22 Shor s algorithm 94 Shor s algorithm quantumly breaks
More informationMA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES
MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES 2018 57 5. p-adic Numbers 5.1. Motivating examples. We all know that 2 is irrational, so that 2 is not a square in the rational field Q, but that we can
More informationCounting points on elliptic curves: Hasse s theorem and recent developments
Counting points on elliptic curves: Hasse s theorem and recent developments Igor Tolkov June 3, 009 Abstract We introduce the the elliptic curve and the problem of counting the number of points on the
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationarxiv: v1 [math.gr] 3 Feb 2019
Galois groups of symmetric sextic trinomials arxiv:1902.00965v1 [math.gr] Feb 2019 Alberto Cavallo Max Planck Institute for Mathematics, Bonn 5111, Germany cavallo@mpim-bonn.mpg.de Abstract We compute
More informationConstructing Families of Pairing-Friendly Elliptic Curves
Constructing Families of Pairing-Friendly Elliptic Curves David Freeman Information Theory Research HP Laboratories Palo Alto HPL-2005-155 August 24, 2005* cryptography, pairings, elliptic curves, embedding
More informationBusiness Cycles: The Classical Approach
San Francisco State University ECON 302 Business Cycles: The Classical Approach Introduction Michael Bar Recall from the introduction that the output per capita in the U.S. is groing steady, but there
More informationKatherine Stange. ECC 2007, Dublin, Ireland
in in Department of Brown University http://www.math.brown.edu/~stange/ in ECC Computation of ECC 2007, Dublin, Ireland Outline in in ECC Computation of in ECC Computation of in Definition A integer sequence
More informationFast Formulas for Computing Cryptographic Pairings
Fast Formulas for Computing Cryptographic Pairings Craig Costello craig.costello@qut.edu.au Queensland University of Technology May 28, 2012 1 / 47 Thanks: supervisors and co-authors Prof. Colin Boyd Dr.
More informationGalois theory (Part II)( ) Example Sheet 1
Galois theory (Part II)(2015 2016) Example Sheet 1 c.birkar@dpmms.cam.ac.uk (1) Find the minimal polynomial of 2 + 3 over Q. (2) Let K L be a finite field extension such that [L : K] is prime. Show that
More information14 Ordinary and supersingular elliptic curves
18.783 Elliptic Curves Spring 2015 Lecture #14 03/31/2015 14 Ordinary and supersingular elliptic curves Let E/k be an elliptic curve over a field of positive characteristic p. In Lecture 7 we proved that
More informationLogic Effort Revisited
Logic Effort Revisited Mark This note ill take another look at logical effort, first revieing the asic idea ehind logical effort, and then looking at some of the more sutle issues in sizing transistors..0
More informationReprésentation RNS des nombres et calcul de couplages
Représentation RNS des nombres et calcul de couplages Sylvain Duquesne Université Rennes 1 Séminaire CCIS Grenoble, 7 Février 2013 Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 1 / 29
More informationCONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker
CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES Reinier Bröker Abstract. We give an algorithm that constructs, on input of a prime power q and an integer t, a supersingular elliptic curve over F q with trace
More information1 :: Mathematical notation
1 :: Mathematical notation x A means x is a member of the set A. A B means the set A is contained in the set B. {a 1,..., a n } means the set hose elements are a 1,..., a n. {x A : P } means the set of
More informationThis is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.
8 Modular Arithmetic We introduce an operator mod. Let d be a positive integer. For c a nonnegative integer, the value c mod d is the remainder when c is divided by d. For example, c mod d = 0 if and only
More informationA brief overwiev of pairings
Bordeaux November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview pairings 0 / 37 Plan of the lecture Pairings Pairing-friendly curves Progress of NFS attacks
More informationOrdinary Pairing Friendly Curve of Embedding Degree 3 Whose Order Has Two Large Prime Factors
Memoirs of the Faculty of Engineering, Okayama University, Vol. 44, pp. 60-68, January 2010 Ordinary Pairing Friendly Curve of Embedding Degree Whose Order Has Two Large Prime Factors Yasuyuki NOGAMI Graduate
More informationParallel Implementation of Proposed One Way Hash Function
UDC:004.421.032.24:003.26 Parallel Implementation of Proposed One Way Hash Function Berisha A 1 1 University of Prishtina, Faculty of Mathematics and Natural Sciences, Kosovo artan.berisha@uni-pr.edu Abstract:
More informationSubgroup security in pairing-based cryptography
Subgroup security in pairing-based cryptography Paulo S. L. M. Barreto 1, Craig Costello 2, Rafael Misoczki 1, Michael Naehrig 2, Geovandro C. C. F. Pereira 1, and Gustavo Zanon 1 1 Escola Politécnica,
More informationComplex Numbers and the Complex Exponential
Complex Numbers and the Complex Exponential φ (2+i) i 2 θ φ 2+i θ 1 2 1. Complex numbers The equation x 2 + 1 0 has no solutions, because for any real number x the square x 2 is nonnegative, and so x 2
More informationFast point multiplication algorithms for binary elliptic curves with and without precomputation
Fast point multiplication algorithms for binary elliptic curves with and without precomputation Thomaz Oliveira 1 Diego F. Aranha 2 Julio López 2 Francisco Rodríguez-Henríquez 1 1 CINVESTAV-IPN, Mexico
More information