Pairing Inversion via Non-degenerate Auxiliary Pairings

Transcription

1 Paiing Invesion via Non-degeneate Auxiliay Paiings Seunghwan Chang 1, Hoon Hong 2, Eunjeong Lee 1, and Hyang-Sook Lee 3 1 Institute of Mathematical Sciences, Ewha Womans Univesity, Seoul, S. Koea schang@ewha.ac.k, ejlee127@ewha.ac.k 2 Depatment of Mathematics, Noth Caolina State Univesity, Raleigh, USA hong@ncsu.edu 3 Depatment of Mathematics, Ewha Womans Univesity, Seoul, S. Koea hsl@ewha.ac.k Abstact. The secuity of paiing-based cyptosystems is closely elated to the difficulty of the paiing invesion poblem(pi). In this pape, we discuss the difficulty of paiing invesion on the genealized ate paiings of Vecauteen. Fist, we povide a simple appoach fo PI by genealizing and simplifying Kanayama-Okamotos appoach; ou appoach involves modifications of exponentiation invesion(ei) and Mille invesion(mi), via an auxiliay paiing. Then we povide a complexity of the modified MI, showing that the complexity depends on the sum-nom of the intege vecto defining the auxiliay paiing. Next, we obseve that degeneate auxiliay paiings expect to make modified EI hade. We povide a sufficient condition on the intege vecto, in tems of its max nom, so that the coesponding auxiliay paing is non-degeneate. Finally, we define an infinite set of cuve paametes, which includes those of typical paiing fiendly cuves, and we show that, within those paametes, PI of abitaily given genealized ate paiing can be educed to modified EI in polynomial time. 1 Intoduction Paiings [1, 9, 12, 13, 18, 25, 29] play an impotant ole in cyptogaphy [2 4, 14, 27]. The secuity of paiing-based cyptosystems is closely elated to the difficulty of the paiing invesion poblem (PI): fo a given paiing,, an agument Q(o P ) and a paiing value z, compute the othe agument P (o Q) such that z = P, Q. PI on elliptic cuves was fist ecognized by Veheul [26] as a potentially had cyptogaphic computational poblem. Satoh [23, 24] consideed the polynomial intepolations to find the x-coodinate of P fo given Q and z, poviding evidences that suppot the difficulty of PI. Galbaith-Hess-Vecauteen [11] defined PI fomally and discussed two appoaches fo PI. (1) Ty to solve PI in a single step. (2) Solve PI by inveting exponentiation fist and then inveting Mille step - Since paiings on elliptic cuves ae computed in two steps, namely the Mille step and the exponentiation step, they suggested inveting them in evese ode to solve PI, i.e. exponentiation invesion(ei) and then Mille invesion (MI).

2 They discussed the possibilities on the eduction of MI to PI (pecisely FAPI-1) vice vesa fo Tate-Lichtenbaum paiing afte the obsevation that the EI fo Tate-Lichtenbaum paiing can be defined as etuning a andom value satisfying its exponentiation elation, which is vey easy. They emaked that the situation, of EI, is quite diffeent fo the ate paiing. Recently, [17] showed that, when a peimage of Tate-Lichtenbaum paiing was esticted, its PI was equivalent to the PI of the ate paiing. Kanayama-Okamoto [15] studied the PI on the ate i paiings and suggested a cleve idea fo a eduction of PI to EI. In this pape, inspied by significant pevious woks [26, 22 24, 11, 20, 28, 15, 7], we povide futhe contibutions towad undestanding the difficulty of paiing invesion. In ode to povide the context and the motivation fo the main contibutions of this pape, we fist eview infomally some of the pevious woks paticula [11, 15] on PI by ecasting them fo the genealized ate paiing of Vecauteen [25], which cuently is one of the most geneal constuctions of cyptogaphic paiings. Fo a given intege vecto ε, the genealized ate paiing a ε : G 2 G 1 G 3 takes two points P G 1, Q G 2 and poduces a value z. It is caied out in two steps: Mille step (M) [19] and Exponentiation step (E). 1. [M ε ] γ ε = Z ε (Q, P ) 2. [E ε ] z = γε L whee Z ε is a cetain ational function depending on the intege vecto ε and L is a cetain natual numbe. Depending on the choice of ε, one gets a diffeent paiing (see [25] and Section 2.2 fo details). Paiing invesion poblems ae defined in two types [11]. In this pape, we conside one of them (FAPI-1): fo given Q G 2, z G 3, find P such that z = a ε (Q, P ). Following [11, 15], we conside the two-step appoach i.e., fist inveting the exponentiation step (EI) and then inveting the Mille step (MI). Fo the genealized ate paiings, thee is a subtlety in the fomulation of EI, as obseved fo example in [17], due to the fact that, fo a fixed Q, the map a ε (Q, ) : G 1 G 3 is one-to-one, unlike fo Tate-Lichtenbaum paiing. One could think of thee possible fomulations of EI. Fo a given L and z, find F1: any γ such that z = γ L. (γ might not be γ ε ) F2: all γ s such that z = γ L. (one of them will be γ ε ) F3: the ight γ such that z = γ L. ( γ = γ ε ) In [15], it is not stated explicitly which fomulation of EI is intended. Fom the context, we conclude that it cannot be F1. If it wee F1, then we get into a stange conclusion that PI could be solvable in polynomial time since F1 is obviously solvable in polynomial time (due to fact that L is elatively pime to the ode of z) and [15] showed that PI can be educed to EI. We also conclude that it cannot be F2 eithe. If it wee F2, then one would have to cay out MI fo each of the exponentially many γ s, contadicting the claim of [15] that PI can be educed to EI in polynomial time. Hence, the only fomulation of EI which is consistent with the claim of [15] is F3. Theefoe, we will use F3 as the fomulation of EI. Summaizing, we have the following fomulation of PI :

3 1. [EI ε ] Find the ight γ ε fom the set {γ : z = γ L } 2. [MI ε ] Find P fom γ ε = Z ε (Q, P ) In [15], Kanayama-Okamoto poposed an inteesting modification of the natual appoach fo PI, which amounts to the following: 1. [Choice] Choose an intege vecto e (which might be diffeent fom ε), giving ise to anothe genealized ate paiing, which we will call an auxiliay paiing, which may o may not be non-degeneate. 2. [EI ε,e ] Find the ight γ e by caying out seveal elated exponentiation invesions (See Section 2.3). 3. [MI e ] Find P fom γ e = Z e (Q, P ) Fom now on, we will call EI ε,e and MI e as the modified exponentiation invesion and the modified Mille invesion, espectively. If e = ε, then EI ε,e and MI e ae exactly same as EI ε and MI ε. The key idea is to choose an intege vecto e which may be diffeent fom ε, but which may be bette fo PI. Specifically, Kanayama- Okamoto suggested that the intege vecto e is chosen fom eithe coefficients of cyclotomic polynomials o (1,..., 1), because such e yields Z e of low degee, making MI e easy. This concludes the infomal eview of the pevious woks on PI (ecast fo the genealized ate paiing). Finally we ae eady to descibe infomally the main contibutions of this pape. 1. In Section 3, we povide anothe appoach fo paiing invesion (Appoach 1), by simplifying the step EI ε,e of Kanayama-Okamoto s appoach. The simplicity of the poposed appoach significantly facilitates the subsequent investigation. We pove its coectness (Theoem 1), and then compae the two appoaches with espect to the seach spaces(theoem 2). 2. In Section 4, we povide a complexity analysis of MI e (Theoem 3). It essentially says that the complexity is bounded by e 2 1 whee e 1 stands fo the sum nom of the chosen intege vecto e. Hence, in ode to educe the complexity of MI e, one needs to choose e with small sum nom. 3. In Section 5, we povide an incemental esult towad the undestanding of the complexity of EI ε,e. We begin by obseving that the degeneacy of the auxiliay paiing has a potential impact on the difficulty of EI ε,e (Poposition 1 and Remak 2). Moe pecisely, if the auxiliay paing defined by the choice of e is degeneate, then the exponential elation in EI ε,e step becomes independent of the input z, that is, the exponential elation does not captue any infomation about the input. As a esult, EI ε,e is expected to be hade than EI ε, when such e is chosen. If the auxiliay paiing coesponding to e is non-degeneate, then EI ε,e is likely as had as EI ε. Hence, in ode to educe the complexity of EI ε,e, one bette choose e such that the auxiliay paing defined by e is non-degeneate. We povide a sufficient condition on e, in tems of the max nom of e, so that the paiing coesponding to e is non-degeneate (Theoem 4).

4 4. In Section 6, we discuss when paiing invesion can be educed to modified exponentiation invesion EI ε,e. This was inspied by Kanayama-Okamoto [15] whee paiing invesion was educed to seveal (unmodified) exponentiation invesions. Specifically we ae looking fo a condition on e so that MI e is easy. As explained above, we need to find small e. Thus, one might be natually tempted to choose the intege vecto e fom eithe coefficients of cyclotomic polynomials o (1,..., 1). Howeve such e makes the coesponding auxiliay paiing degeneate. Hence the modified exponentiation invesion EI ε,e is expected to be had. Theefoe, in ode to meaningfully educe paiing invesion to modified exponentiation invesion, one needs find e such that it is small and the coesponding auxiliay paiing is non-degeneate. In this section, we investigate the existence of such e in vaious cases. In paticula, we define an infinite set of cuve paametes (Definition 1), which includes those of typical paiing fiendly cuves as in Table 1 of [10] and show that, within those paametes, paiing invesion of an abitaily given paiing can be educed to modified exponentiation invesion in polynomial time (Theoem 5). We futhemoe povide tighte uppe bounds on the numbe of bit opeations needed by such eductions fo seveal concete cases (Table 1). 2 Peliminaies In this section, we biefly eview elliptic cuves, the genealized ate paiings due to Vecauteen [25] and an appoach to paiing invesion due to Kanayama- Okamoto [15]. We encouage all the eades to skim though them, as the notations and the assumptions theein will be extensively used thoughout the subsequent sections. 2.1 Elliptic cuves We fix the basic notations fo elliptic cuves. Let q be a powe of a pime and let be a pime such that gcd(q, ) = 1. Let k be the embedding degee defined as the multiplicative ode of q in F, denoted by k = od (q), and L = (q k 1)/. Let E be an elliptic cuve defined ove F q such that #E(F q ). Let G 1 = E[] ke(π q [1]) and G 2 = E[] ke(π q [q]) whee π q : E E denotes the q-powe Fobenius endomophism. 2.2 Vecauteen s genealized ate paiings We eview the genealized ate paiings [25]. Let μ = { } u F : u = 1. Let q k f n,q, l P,Q and v P be the nomalized functions with divisos n (Q) ([n] Q) (n 1) (O), (P )+(Q)+( (P + Q)) 3 (O) and (P )+( P ) 2 (O) espectively, whee O denotes the identity element of the goup E. Let ( ) g (X) = X k 1, λ ε (X) = ε j X j g (X) λε (X), W ε (X) = det g (X) λ ε(x)

5 fo ε = (ε 0,..., ε ) Z k. Vecauteen [25] defined a map a ε : G 2 G 1 μ such that, fo all P G 1, Q G 2, a ε (Q, P ) = Z ε (Q, P ) L, Z ε (Q, P ) = whee k 2 f εj,q j Q(P ) l εj q j Q, (ε j+1 q j+1 + +ε q )Q v (εj q j + +ε q )Q and showed that it is a well-defined bilinea map if λ ε (q), 2 λ ε (q) and 2 g (q). He also showed that a ε is non-degeneate if and only if 2 W ε (q). Fom now on, we will assume λ ε (q), 2 λ ε (q), 2 g (q) and 2 W ε (q), so that a ε is a non-degeneate paiing. We will also assume, without losing geneality, that gcd (ε 0,..., ε ) = 1 because the vecto ε is selected as small as possible fo faste paiing computation. In summay, Vecauteen poposed the following appoach fo paiings. In: P G 1, Q G 2 Out: z = a ε (Q, P ) 1. [M ε ] γ ε Z ɛ (P, Q) 2. [E ε ] z γɛ L (P ) 2.3 Kanayama-Okamoto s appoach to paiing invesion We eview an appoach fo paiing invesion due to Kanayama-Okamoto [15]. They poposed the following appoach and poved its coectness. In: Q G 2, z μ Out: P G 1 such that z = a ɛ (Q, P ). 1. [Choice] Choose e Z k such that λ e (q) and gcd (e 0,..., e ) = [EI ε,e ] Find γ e by caying out the following. (a) T j em ( q j, ), the emainde of q j modulo (b) a j od (T j ) (c) n j T a j j 1 (d) N j gcd(t aj j 1, q k 1) (e) d j a j 1 h=0 T aj 1 h j q jh (f) c j em(d j, N j ) (g) c j c 1 j mod. (h) U e 1 e jt j (i) U ε 1 ε jt j (j) ψ ε U ε ε jc j n j (k) ψ ε ψε 1 mod. (l) Find the ight τ such that τ L = z ψ ε (m) Find the ight α j such that αj L = τ Lc j nj

6 (n) γ e τ Ue αe j j 3. [MI e ] Find P fom γ e = Z e (P, Q).. By the ight τ and the ight α j, we mean the ones satisfying the condition τ = f,q (P ) and α j = f Tj,Q(P ) fo some P G 1. Remak 1. The above desciption is a bit diffeent fom the oiginal one by Kanayama-Okamoto [15] in thee ways. αe j j τ Ue They used the quantity fo γ e, which is the ecipocal of the quantity shown above. We changed it in the cuent fom, because it is moe consistent with the notation used in Vecauteen s genealized paiings [25]. They elaboated thei idea fo ate i paiing (coesponding to a paticula class of ε) and indicated that it could be extended to the genealized ate paiing of Vecauteen [25] (coesponding to a geneal class of ε). Indeed, such an extension is staightfowad. The above desciption allows abitay ε. They elaboated thei idea fo paticula choices of e such as coefficients of cyclotomic polynomials o (1,..., 1). The extension to abitay e is also staightfowad. The above desciption allows abitay e. 3 A Simple Appoach fo Paing Invesion In this section, we descibe an appoach fo inveting the genealized ate paiing of Vecauteen (Appoach 1). We will use the notations intoduced in Section 2.2. Compaing to Kanayama-Okamoto s appoach (See Section 2.3), one sees that the modified exponentiation invesion step EI ε,e is simplified. The simplicity of the poposed appoach facilitates the subsequent investigation. We pove its coectness (Theoem 1). Then we compae the simple appoach with Kanayama- Okamoto s appoach (Theoem 2). We let a n b abbeviate a b (mod n) fo simplicity. Appoach 1 Paiing Invesion In: Q G 2, z μ Out: P G 1 such that z = a ε (Q, P ). 1. [Choice] Choose e Z k such that λ e (q) and gcd (e 0,..., e ) } = [EI ε,e ] Find the ight γ e fom Γ ε,e,z = {γ F q : γ L = z δε,e, whee k δ ε,e w e /w ε and w η = 1 W η (q). 3. [MI e ] Find P fom γ e = Z e (P, Q). By the ight γ e, we mean the ones satisfying the condition γ e = Z e (Q, P ) fo some P G 1. Theoem 1 (Coectness). If γ e = Z e (Q, P ), then γ L e = z δε,e.

7 Poof. Recall that γe L = a e (Q, P ) and z = a ε (Q, P ). Hence we need to show that a e (Q, P ) = a ε (Q, P ) δε,e. Recall, fom the poof of Theoem 4 in [25], that and thus f q,q (P ) L λe(q) g (q)( g(q) ) 1 = f q,q (P ) Lλ e (q) a e (Q, P ). ( a e (Q, P ) = f q,q (P ) L λe(q) g (q)( g(q) ) 1 ) ( λ e (q) = f q,q (P ) L ( g(q) ) 1 w e ). Similaly, one gets Thus, a ε (Q, P ) = f q,q (P ) L ( ( g(q) ) 1 w ε ). a e (Q, P ) = f q,q (P ) L ( ( g(q) ) 1 w e ) = a ε (Q, P ) wew 1 ε = a ε (Q, P ) δε,e. One may wonde how the above appoach compaes to the appoach of Kanayama-Okamoto. Since the MI e steps ae the same, we only need to compae EI ε,e steps. Since EI ε,e is essentially a seach poblem (finding the ight elements), we need to compae the seach spaces. Recall that the seach space of Appoach 1 is Γ ε,e,z when bute-foce seach is used. Likewise, the seach space fo the appoach of Kanayama-Okamoto (see Section 2.3) amounts to Θ ε,e,z = { τ Ue αe j j : τ, α j F q k α L j = τ Lc j nj τ L = z ψ ε The following theoem states that the two bute-foce seach spaces ae the same. Theoem 2. We have Γ ε,e,z = Θ ε,e,z. Poof. We will pove the inclusion in both diections. Claim 1: Θ ε,e,z Γ ε,e,z Let τ F q k and α j F q k be such that α L j = τ Lc j nj and τ L = z ψ ε. Let θ = θ L = τ Ue αe j j ( τ U e αe j j. We need to show that θ L = z δε,e. Note ) L = τ LU e αlej j = τ LU e τ Le jc j n j } = τ L(Ue ejc j nj) = τ Lψe As z = τ Lψε, we have θ L = z ψeψ ε. Since Ze (Q, P ) Θ e,z as [15] showed, we also have Z e (Q, P ) L = z ψeψ ε. Recall Ze (Q, P ) L = a ε (Q, P ) wew ε = z wew ε. Thus, θ L = z ψ eψ ε = Ze (Q, P ) L = a ε (Q, P ) wew ε = z w ew ε = z δ ε,e.

8 Claim 2: Γ ε,e,z Θ ε,e,z Let γ F be such that γ L = z δε,e. We need to find τ and α q k j such that α L j = τ Lc j n j and τ L = z ψ ε and γ = τ Ue j=1 αe j j αe j j. Let P G 1 and Q G 2 be such that z = a ε (Q, P ). Such P, Q exist because the map G 1 μ, P a ε (Q, P ) is bijective if Q G 2 {O}. Let τ = f,q (P ) and α j = f Tj,Q(P ) τ and γ = Ue. Let h Z k be such that h je j = 1. Such h exists because gcd (e 0,..., e ) = 1. Let τ = τ, α j = α j ( γ γ ) hj Then we have τ L = τ L = z ψ ε ( ( ) ) hj L γ αj L = α j = α j L γ γ = γ γ γ = τ U e αej j ( γ γ ) Lhj = α L j ( ) hje γ j = γ ( z δ ε,e z δ ε,e τ U e ( ( α γ j γ 4 Complexity of Modified Mille Invesion ) hj = τ Lc j n j = τ Lc j n j ) hj ) ej = τ U e j=1 αej j In this section, we povide a bit-complexity of the modified Mille invesion step MI e. It essentially says that, when q and k ae fixed, the complexity is bounded by e 2 1 whee e 1 stands fo the sum nom of the intege vecto e. Hence in ode to educe the complexity of MI e, one needs to choose e with small sum nom. This esult can be viewed as an adaptation of the esults/ideas [11] to the genealized ate paiing. Theoem 3 (Complexity of MI e ). Thee exists an algoithm fo MI e equiing at most 2 8 e 2 1 k 2 (log 2 q) 3 bit opeations. In the emainde of this section, we will pove Theoem 3. We will divide the poof into seveal lemmas that ae inteesting on thei own. We begin with a slight efomulation of the expession fo the genealized ate paiing [25], because it geatly simplifies the deivation of the above uppe bound. Lemma 1. Let e (+), e ( ) Z k be e (+) i = { ei if e i > 0 0 else and e ( ) j = { ej if e j < 0 0 else

9 Then, fo all Q G 2 and all P G 1, we have Z e (Q, P ) = Z e (+) (Q, P ) Z e ( ) (Q, P ) Poof. See the Appendix. Lemma 2. Fo evey Q G 2, θ F q k polynomial h ove F q k such that and e Z l, thee exists a bivaiate (a) (x, y) G 1 θ = Z e (Q, (x, y)) = h(x, y) = 0 (b) deg X (h) e 1 (c) deg Y (h) 2 max{s, t}, whee s := #{j : e j > 0} and t := #{j : e j < 0}. Poof. See the Appendix.. Poof (Poof of Theoem 3). To solve MI e fo given Q G 2 and e Z l, we have to find P = (x, y) G 1 such that θ = Z e (Q, (x, y)), y 2 = x 3 + ax + b (1) Let h be a bivaiate polynomial ove F q k Lemma 2 and let, fo the h, satisfying the thee conditions in F (X, Y ) = Y 2 X 3 ax b u (X) = es Y (h (X, Y ), F (X, Y )). Note, fo all (x, y) G 1, if θ = Z e (Q, (x, y)), then u (x) = 0 and deg u deg Y F deg X h + deg Y h deg X F 2 e e 1 3 = 8 e 1. Fom [11], thee exists an algoithm fo solving a polynomial of degee d in F q whose complexity is O(d 2 k 2 (log q) 3 ). In fact, a moe detailed analysis shows that the algoithm equies at most 4 d 2 k 2 (log 2 q) 3 bit opeations. Since solving u(x) = 0 is enough to solve the system of equations (1), we see that MI e can be solved within 4 (8 e 1 ) 2 k 2 (log 2 q) 3 = 2 8 e 2 1 k 2 (log 2 q) 3. bit opeations. 5 Towad Complexity of Modified Exponentiation Invesion It would be nice to have a complexity estimate fo the modified exponentiation invesion EI ε,e, just as fo the modified Mille invesion MI e (Theoem 3). Unfotunately, we do not have a esult on it. We ae not awae of any esults

10 in the liteatue eithe. We expect it to be a vey non-tivial task, most likely equiing patient and long aduous effots of many eseaches, each making an incemental contibution. In this section, we epot on an incemental finding towad complexity of EI ε,e. Recall that EI ε,e asks to find the ight γ e fom the seach space Γ ε,e,z. Hence it is easonable to begin with the study of the elationship between the seach space Γ ε,e,z and the chosen vecto e. Poposition 1. We have 1. If the auxiliay paiing a e is degeneate, then Γ ε,e,z = Γ ε,ε,1 = μ L. 2. If the auxiliay paiing a e is non-degeneate, then Γ ε,e,z = Γ ε,ε,z δε,e. Poof. Note that δ ε,ε = 1. Recall that δ ε,e w e /w ε and w e = 1 W e(q) Z. Theefoe we have a e is degeneate 2 W e (q) w e 0 δ ε,e 0 If a e is degeneate, then we have { Γ ε,e,z = γ F : γ L = z 0} = q k { } γ F : γ L = 1 δ q k ε,ε = Γ ε,ε,1 = μ L If a e is non-degeneate, then we have { } Γ ε,e,z = γ F : γ L = z δ q k ε,e = {γ F q : γ L = ( z δ ) } δ k ε,e ε,ε = Γ ε,ε,z δε,e Remak 2. Fom the above poposition, we obseve the followings: If a e is degeneate then the seach space of EI ε,e is independent of the input z, that is, the exponential elation in EI ε,e does not captue any infomation about the input. Thus the modified exponentiation invesion EI ε,e will be most likely hade when a e is degeneate than when a e is non-degeneate. If a e is non-degeneate then the seach space of EI ε,e fo an input z is the same as that of EI ε fo anothe input z δε,e. Thus the modified exponentiation invesion EI ε,e is likely as had as the oiginal exponentiation invesion EI ε. Theefoe, as a fist step towad finding an efficient method fo EI ε,e, we bette ensue that a e is non-degeneate. The following theoem (Theoem 4) gives a sufficient condition on e, in tems of the max nom of e, fo the non-degeneacy of a e. We will use the following lemma in the poof of the theoem, hence we state it fist. Lemma 3. Let s be a pimitive k-th oot of unity modulo 2 and s q mod. Then 2 λ e (s) iff a e is non-degeneate. Poof. The claim follows easily fom the poof of [12, Theoem 3]. See the Appendix fo a detailed poof in tems of ou teminologies.

11 Theoem 4. Let e Z k be such that λ e (q) and Φ k (X) λ e (X). Let m e = [Q(ζ k ) : Q(λ e (ζ k ))]. If then a e is non-degeneate. e < 2me/ϕ(k) ϕ(k) Poof. We will pove the conta-positive. Assume that a e is degeneate. We claim e 2me/ϕ(k). ϕ(k) Let s Z be such that s q (mod ) and od 2(s) = k. To pove the claim, we will use the fact that a e is degeneate if and only if 2 λ e (s) (Lemma 3). Note 2 (s k 1) = d k Φ d(s). Since Φ d (s) = Φ d (q + ι) implies Φ d (q), divides only Φ k (s) and Φ d (s) fo all d < k. Theefoe, 2 Φ k (s). Let μ e (X) = em(λ e (X), Φ k (X)) and ζ k C be a pimitive k-th oot of unity. Note that μ e 0 fom the assumption. Let v(x) Q[X] be the minimal polynomial of μ e (ζ k ) ove Q. Note that v(x) Z[x] as μ e (ζ k ) Z[ζ k ], the ing of integes of Q(ζ k ). Since v(μ e (X)) is zeo at ζ k and Φ k (x) is monic, we have v(μ e (X)) = Φ k (X)h(X) fo some h(x) Z[X]. Fom 2 λ e (s) and 2 Φ k (s), we have 2 μ e (s) and v(0) 2 v(μ e (s)) 2 Φ k (s)h(s) 2 0 Theefoe, we have eithe v(0) = 0 o v(0) 2. Noting that, by [6, Poposition 4.3.2] and the fact that v is monic, v(0) = Nom(μ e (ζ k )) = NomQ(ζk )/Q(μ e (ζ k )) 1 me = gcd(j,k)=1 μ e (ζ j k ) we conclude that v(0) 0. Indeed if v(0) = 0, then Φ k λ e, a contadiction to μ e 0. Thus, we have 2 v(0) = gcd(j,k)=1 μ e (ζ j k ) 1 me gcd(j,k)=1 ϕ(k) e 1 me 1 me = (ϕ(k) e ) ϕ(k) me, Theefoe, we finally have the claim. 6 Reducing Paing Invesion to Modified Exponentiation Invesion In this section, we discuss when paiing invesion can be educed to modified exponentiation invesion EI ε,e.

12 Specifically we ae looking fo a condition on e so that MI e is easy. Accoding to Theoem 3, we need to find small e. One might be natually tempted to choose the intege vecto e fom eithe coefficients of cyclotomic polynomials o (1,..., 1). Howeve accoding to Coollay 6 of Vecauteen [25], such e makes the coesponding auxiliay paiing degeneate. Hence, fom Poposition 1, the modified exponentiation invesion EI ε,e is expected to be had because the seach space does not depend on z. Theefoe, in ode to meaningfully educe paiing invesion to modified exponentiation invesion, one needs find e such that it is small and the coesponding auxiliay paiing is non-degeneate. In this section, we investigate the existence of such e in vaious cases (Theoem 5 and the subsequent examples in Table 1). We begin by intoducing a definition that was inspied by the discussions in[11]. Definition 1. Let C α be the set of all (, k) Z 2 >0 satisfying C1: 1/ϕ(k) > ϕ (k) C2: 1/ϕ(k) (log 2 ) α Remak 3. In the following figue, the bottom cuve is fom the condition C1 in Definition 1 and the top cuve is fom the condition C2 when α = 10. Thus, the egions between the two cuves is the set C 10, The black dots epesent typical paiing fiendly cuves fom Table 1 in [10]. Note that the paametes fo the typical paiing fiendly cuves belong to C 10. log ϕ(k) Lemma 4. If α > 1, then C α is an infinite set. Poof. See the Appendix. Theoem 5. Let α > 1, (, k) C α and q. Then the invesion of evey genealized ate paiing can be educed to modified exponentiation invesion in polynomial time in log 2. Specifically, thee exists e such that the auxiliay paiing a e is non-degeneate and MI e can be caied out in at most bit opeations (log 2 ) 8α+3

13 Poof. Let (q, ) C α and q. We need to find a witness e such that a e is non-degeneate and MI e can be caied out in the claimed numbe of bit opeations. Fom Minkowski s theoem (see III.C of [25]), thee exists e Z k with λ e (q) such that the last k ϕ(k) elements of e ae zeo and e 1/ϕ(k) We will take it as the witness. Fist we show that a e is non-degeneate. Since the last k ϕ(k) elements of e ae zeo, we have λ e (X) Φ k (X). Fom the condition that 1/ϕ(k) > ϕ (k), we have and thus (2m e 1)/ϕ(k) ϕ(k) 1/ϕ(k) ϕ(k) > 1 e 1/ϕ(k) < 1/ϕ(k) (2m e 1)/ϕ(k) ϕ(k) = 2m e/ϕ(k) ϕ(k) Theefoe, by Theoem 4, a e is non-degeneate. Next we show that MI e can be caied out in the claimed numbe of bit opeations. Let N be the numbe of bit opeations fo MI e. Note that e 1 ϕ(k) e. Hence e 1 ϕ(k) 1/ϕ(k). Theefoe, fom Theoem 3, we have Fom the condition q, we have N 2 8 ( ϕ(k) 1/ϕ(k)) 2 k 2 (log 2 q) 3 N 2 8 ( ϕ(k) 1/ϕ(k)) 2 k 2 (2 log 2 ) 3 = 2 11 ϕ(k) 2 2/ϕ(k) k 2 (log 2 ) 3 Since k 2ϕ(k) and ϕ (k) < 1/ϕ(k), we have N 2 11 ϕ(k) 2 2/ϕ(k) 4 ϕ(k) 4 (log 2 ) 3 = /ϕ(k) (log 2 ) 3 Since 1/ϕ(k) (log 2 ) α, we have N < 2 13 (log 2 ) 8α (log 2 ) 3 = 2 13 (log 2 ) 8α+3 The uppe bound in Theoem 5 is not tight. In Table 1, we povide tighte uppe bounds fo seveal examples. Fo each example, the fist ow of the table shows k, ϕ(k), log 2, α with which we can estimate an uppe bound of the bit complexity fo educing PI to EI ε,e, using Theoem 5. The next ows show actual paametes q, and a vecto e Z ϕ(k). The vecto e is the one with smallest sum nom among the LLL educed vectos fo the lattice with espect to q,, k [25]. The vecto e is veified to yield non-degeneate a e. Fo the vecto e, the last ow has been calculated using Theoem 3, which estimates the bit complexity of MI e on the cuve moe pecisely. The estimated uppe bounds on the computing

14 times ae based on the assumption that one uses the cuently fastest supecompute [8], which can pefom about flops 1000 bops flops = 264 bops (bit opeations pe second). The fist example BN is the smallest value taken fom Table 1 in [21]. Since ϕ(k) fo the BN cuves [5] ae small (ϕ(k) = 4), they easily satisfy the condition C1 in Definition 1 but lage α values ae needed to satisfy C2. Theefoe, fom Theoem 5, we expect that it will be difficult to educe PI to EI ε,e fo BN cuves. The tighte uppe bound on the bit opeation on the last ow, based on Theoem 3, suppots the obsevation. Next two examples ae the KSS cuves descibed in Example 4.6 and Example 4.7 in [16]. The paametes ae obtained by evaluating the polynomials in the Examples in [16] at x 0 = 188 fo KSS1 and x 0 = 107 fo KSS2. The example CP1 is constucted by Cocks-Pinch method to have small α and typical paametes (k, log 2 ) in Table 1 in [10]. The example C6.6 is obtained fom evaluating the polynomials in Constuction 6.6 with k = 33 in [10] at x 0 = 9727, which is also a paiing-fiendly cuve (Definition 2.3 in [10]). The ϕ(k) fo these cuves ae small enough to satisfy C1, and big enough fo small α values to satisfy C2. Theefoe, fom Theoem 5, we expect that it will be elatively easy to educe PI to EI ε,e fo these cuves. The tighte uppe bound on the bit opeations on the last ow, based on Theoem 3, suppots the obsevation. Acknowledgement The authos would like to thank Steven Galbaith and anonymous efeees fo thei insightful and helpful comments. Refeences 1. Baeto, P., Galbaith, S., Ó héigeataigh, C., Scott, M. : Efficient Paiing Computation on Supesingula Abelian Vaieties. Designs, Codes and Cyptogaphy 42, no. 3, pp (2007) 2. Boneh, D., Fanklin, M. : Identity-based encyption fom the Weil paiing. SIAM J. of Computing 32, no. 3, pp (2003) 3. Boneh, D., Goh, E., Nissim, K. : Evaluating 2-DNF fomulas on ciphetexts. In Poceedings of Theoy of Cyptogaphy (TCC) 05, LNCS 3378, pp (2005) 4. Boneh, D., Lynn, B., Shacham, H. : Shot signatues fom the Weil paiing. J. of Cyptology 17, no 4, pp (2004) 5. Baeto, P., Naehig, M. : Paiing-fiendly elliptic cuves of pime ode. In Poceedings of SAC 2005, LNCS 3897, pp (2006) 6. Cohen, H. : A Couse in Computational Algebaic Numbe Theoy. Spinge, Heidelbeg (2000) 7. Duc, A., Jetchev, D. : Hadness of Computing Individual Bits fo One-way Functions on Elliptic Cuves. In Poceedings of Advances in Cyptogaphy CRYPTO 2012, LNCS 7417, pp (2012) 8. Cay Titan: olcf.onl.gov/titan/, en.wikipedia.og/wiki/titan (supecompute)

15 Table 1. Estimates on time needed fo educing paiing invesion to exponentiation invesion BN k, ϕ(k), log 2, α 12, 4, 158, 6 q e [ , 0, , 1] e bit ops < yeas KSS1 k, ϕ(k), log 2, α 40, 16, 270, 3 q e [ 89353, 1, 0, 0, 0, 0, 0, 0, 0, 0, , 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] e bit ops < days KSS2 k, ϕ(k), log 2, α 36, 12, 169, 2 q e [644, 966, 2899, 2255, 8697, 10307, 12562, 2577, 5798, 0, 6120, 2577, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] e bit ops < minutes CP1 k, ϕ(k), log 2, α 23, 22, 257, 2 q e [ 196, 527, 851, 89, 648, 115, 1086, 14, 547, 1053, 409, 611, 680, 1368, 891, 1808, 3226, 1664, 577, 22, 213, 15, 0] e bit ops < minutes C6.6 k, ϕ(k), log 2, α 33, 20, 265, 2 q e [0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9727, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] e bit ops < minutes

16 9. Duusma, I., Lee, H.-S. : Tate paiing implementation fo hypeelliptic cuves y 2 = x p x + d. In Poceedings of Advances in Cyptogaphy AsiaCypt 2003, LNCS 2894, pp (2003) 10. Feeman, D., Scott, M., Teske, E. : A taxonomy of paiing-fiendly elliptic cuves. J. of Cyptology 23, pp (2010) 11. Galbaith, S., Hess, F., Vecauteen, F. : Aspects of Paiing Invesion. IEEE Tans. Infomation Theoy 54, pp (2008) 12. Hess, F. : Paiing Lattices. In Poceedings of Paiing 2008, LNCS 5209, pp (2008) 13. Hess, F., Smat, N., Vecauteen, F. : The Eta Paiing Revisited. IEEE Tans. Infomation Theoy 52, pp (2006) 14. Joux, A. : A one ound potocol fo tipatite Diffie-Hellman. J. of Cyptology 17, no. 4, pp (2004) 15. Kanayama, N., Okamoto, E. : Appoach to Paiing Invesions Without Solving Mille Invesion. IEEE Tans. Infomation Theoy 58, pp (2012) 16. Kachisa, E., Schaefe, E., Scott, M. : Constucting Bezing-Weng paiing fiendly elliptic cuves using elements in the cyclotomic elements. In Poceedings of Paiing 2008, LNCS 5209, pp (2008) 17. Kim, S., Cheon, J. : Fixed Agument Paiing Invesion on Elliptic Cuves, pepint (2012). Available at Lee, E., Lee, H.-S., Pak, C. : Efficient and Genealized Paiing Computation on Abelian Vaieties. IEEE Tans. Infomation Theoy 55, no. 4, pp (2009) 19. Mille, V. : The Weil paiing and its efficient calculation. J. of Cyptology 17, pp (2004) 20. El Mabet, N. : What about Vulneability to a Fault Attack of the Milles Algoithm Duing an Identity Based Potocol?. In Poceedings of ISA 2009, LNCS 5576, pp (2009) 21. Peeia, G., Simplício, M., Naehig, M., Baeto, P. : A Family of Implementation- Fiendly BN Elliptic Cuves. J. of Systems and Softwae 84, Issue 8, pp (2011) 22. Page, D., Vecauteen, F. : A Fault Attack on Paiing Based Cyptogaphy. IEEE Tans. Computes 55, no. 9, pp (2006) 23. Satoh, T. : On polynomial intepolations elated to Veheul homomophisms. J. Comput. Math. 9, pp (2006) 24. Satoh, T. : On paiing invesion poblems. In Poceedings of Paiing 2007, LNCS 4575, pp (2007) 25. Vecauteen, F. : Optimal Paiings. IEEE Tans. Infomation Theoy 56, no. 1, pp (2010) 26. Veheul, E. : Evidence that XTR is moe secue than supesingula elliptic cuve cyptosystems. J. Cyptology 17, no. 4, pp (2004) 27. Wates, B. : Efficient Identity-Based Encyption Without Random Oacles. In Poceedings of Advances in Cyptology EUROCRYPT 2005, LNCS 3494, pp (2005) 28. Weng, J., Dou, Y., Ma, C. : Fault Attacks against the Mille Algoithm in Hessian Coodinates. In Poceedings of InsCypt 2011: Infomation and Cyptology, LNCS 7537, pp (2012) 29. Zhao, C., Zhang, F., Huang, J. : A Note on the Ate Paiing. Intenational J. of Infomation Secuity 7, no. 6, pp (2008)

17 Appendix In this appendix, we povide poofs of seveal technical lemmas. Poof (Poof of Lemma 1). Let e m1,..., e ms > 0 and e n1,..., e nt < 0 and all othe components of e ae zeo. Then we have e (+) m i = e mi e n ( ) j = e nj and all othe components of e (+) and e ( ) ae zeo. Note Thus U e e n1 q n1 e nt q nt = e m1 q m1 + + e ms q ms Hence f em1 q m 1 + +e ms qms,q = = s s f em i q m i,q f emi,q m i Q i=1 i=1 s i=1 s 1 i=1 f em i q m i,q (P ) Z e (+)(Q, P ) f Ue e n1 q n 1 e nt q n t,q = f Ue,Qf en1 q n 1 e nt q n t,q t = f U e,q (P ) f e n j q n j,q (P ) Z e ( )(Q, P ) j=1 l emi q m i Q,(e mi+1 q m i+1 + +e ms q ms )Q v (emi q m i + +e ms q ms )Q f U e,q (P ) t j=1 f en j q n j,q (P ) Z e ( )(Q, P ) = s i=1 f em i q m i,q Z e (+)(Q, P ) and, fom [25], we have Z e (Q, P ) = f Ue,Q (P ) i=0 f ei q i,q (P ) = Z e(+)(q, P ) Z e ( )(Q, P ) Poof (Poof of Lemma 2). Let Q G 2, θ F q and e Z l. We will constuct k a witness fo the existentially quantified h. Fom Lemma 14 of [11], we have f μ, νq (X, Y ) = { 1 μ = 1 f μ,ν,1(x)+y f μ,ν,2(x) v μνq μ > 1

18 whee f μ,ν,1, f μ,ν,2 F q k[x] such that μ + 1 μ deg(f μ,ν,1 ), deg(f μ,ν,2 ) Fom Lemma 1, we have Z e (Q, (x, y)) = Z e (+)(x, y) A(x, y) =: Z e ( )(x, y) B(x, y) fo all (x, y) G 1 whee A = B = 1 i s e mi 2 ( femi,qm i,1 + Y f emi,qm i,2) 1 j t e nj 2 s 1 l emi q m i Q,(e mi+1 q m i+1 + +e ms q ms )Q i=1 1 j t e nj 2 ( ) f enj,q n j,1 + Y f enj,q n j,2 v enj q n j Q t 1 v ( enj+1 q n j+1 e nt q n t )Q j=1 1 i s e mi 2 v emi q m i Q t 1 s 1 l enj q n j Q,( e nj+1 q n j+1 e nt q n t )Q v (emi q m i + +e ms q ms )Q j=1 i=1 Finally, we popose the following h as a witness fo the existential quantification: h = A θb. We will show that h is indeed a witness satisfying the thee conditions. (a) (x, y) G 1, Z e (Q, (x, y)) = θ = h(x, y) = 0.: Let (x, y) G 1. Assume that θ = Z e (Q, (x, y)). Then Obviously θ = A(x,y) B(x,y). Thus h(x, y) = A(x, y) θb(x, y) = 0.

19 (b) deg X (h) e 1 : Note deg X (A) ei e i 2 e i 2 e i 1 e i 1 = ei e i 2 e i 2 e i=1 e i= 1 e i + e i + e i + e i e i 2 e i 2 e i =1 e i = 1 = e 1 deg X (B) ei e i 2 e i 2 e i 1 e i 1 = ei e i 2 e i 2 e i= 1 e i=1 e i + e i + e i + e i e i 2 e i 2 e i = 1 e i =1 = e 1 Hence deg X (h) e 1. (c) deg Y (h) 2 max{s, t}: Note deg Y (A) s + s 2s, deg Y (B) t + t 2t Hence deg Y (h) 2 max{s, t}. Poof (Poof of Lemma 3). Note f s k 1,Q = f s k 1,Q = f sk,q = fs,q s fs,sq sk 2 f s,s Q Since s q (mod ) and f s,sq = f s,qq = f q s,q, we have f s k 1,Q = f s,q s f qsk 2 s,q f q s,s k 2 Q = f s +qs k 2 + +q s,q (2) Let u = s + qs k q. Then u kq mod. Raising Eq. (2) to the powe (q k 1)/, we have t(q, P ) sk 1 = f s,q (P ) (qk 1) u. Since sk 1, we have t(q, P ) sk 1 = 1 f s,q (P ) (qk 1) = 1.

20 Theefoe, f s i,q(p ) qk 1 = f (si 1 +s i 2 q+...+q i 1 ) qk 1 s,q = 1 fo 0 i k 1. Note t(q, P ) λe(s) = f,q (P ) λe(s) q k 1 = f λe(s),q(p ) qk 1 = f e0 + +e s,q (P ) q k 1 = = = f ejs j,q (P ) q k 1 k 2 l ejs j Q,(e j+1s j+1 + +e s )Q (P ) v (ejs j + +e s )Q (P ) f s j,q (P ) ej q k 1 1 e j f ej,q j Q (P ) q k 1 q k 1 k 2 l ejq j Q,(e j+1q j+1 + +e q )Q (P ) v (ejq j + +e q )Q (P ) k 2 l f qj ejq e j,q (P ) j Q,(e j+1q j+1 + +e q )Q (P ) v (ejq j + +e q )Q (P ) q k 1 q k 1 = Z e (Q, P ) q k 1 = a e (Q, P ) The claim follows immediately fom the elation t(q, P ) λe(s) = a e (Q, P ). Poof (Poof of Lemma 4). We fist obseve that = 9 and ϕ (k) = 2 satisfy the above two conditions. We will show that the two cuves defined by 1/ϕ(k) = ϕ (k), 1/ϕ(k) = (log 2 ) α do not meet when ϕ (k) > 2. The above system is equivalent to The fist equation is equivalent to 1/ϕ(k) = ϕ (k) (log 2 ) α = ϕ (k) log 2 = ϕ (k) log 2 ϕ (k) By substituting it into the second equation, we have ϕ (k) α (log 2 ϕ (k)) α = ϕ (k), which does not have a solution when ϕ (k) > 2. Thus the above two cuves do not meet when ϕ (k) > 2. Theefoe, we conclude that C α is an infinite set.